From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 5D9AD941C39 for ; Thu, 1 Feb 2024 19:42:18 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=yR9rGgmo0GiQGeG0SGaE34Ntbpa2XESmGkm51YuHMS4=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706816537; v=1; b=s99ST8ezrJiwtPFlNP85+lebwrQshy4k7kTu0N3vcovWvUEkoy8hOplAE+Y8C8x8cwPMViGv kX4i3hpRSLpX4pyT/ezIjvefltixdnQmqzRouFwaZvwNU8G1DU1oCLCrUc6SwBmSL/fYTVbau+U 9z+Jhaa4XidZbNty8sXIA1ZE= X-Received: by 127.0.0.2 with SMTP id QYJtYY7687511xHRUpuZoGJl; Thu, 01 Feb 2024 11:42:17 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web11.5041.1706816536212388582 for ; Thu, 01 Feb 2024 11:42:16 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="25451046" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="25451046" X-Received: from fmviesa008.fm.intel.com ([10.60.135.148]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Feb 2024 11:42:16 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="92729" X-Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by fmviesa008.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 01 Feb 2024 11:42:16 -0800 X-Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 11:42:15 -0800 X-Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 1 Feb 2024 11:42:15 -0800 X-Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.168) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 1 Feb 2024 11:42:14 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lJX2PiWC6+sud9LREtCgFREN+wSTtiul+KA56ByZ6RWyPrj4rOEE5B+5hhvpzIneOdA3AlAgKV6TDgGj/atEYOH8NCFqaOz9oya/ANCuQUlwf7v8ka7ONgH0sXMe5L7cqiL7kLrOuXqN/qQBMzGO/mjkULKMUzwe85/FJ9svxDJvrKXFCPzDRPZJaR2feXajR9roxxXbIvQHDYgAXst6x8encgok64RCfsDs8bL4awu/kEDklRs8ccMutPCoQdM2cCOTCq0hNzwITpA/0Vev/XwUz954NKk8k7+9hUidBalJ3cq128uJjG7Hqf05WYl4UQx/AbmG9MyX7brYFxrgrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mulF7XdWvK+CBlDib+l/HVF33I7hQxdvcORIbg6Qzhw=; b=R5sgsnEMvXlvZAeElrmlyb6GcAU3ihbkB6u6hRv1pANr1dB/4Pi/me/LAihKnQYOI6LeV6EOaJ4L15KI4NYKqq8zaPLd2eB3/911okaa5qcyuVF08ao071xaX07W+l7EyrKkT3lTO6PYILYzZctXJ0cDOL0+oinSOCPBgxkt9nVeyshsy5554GFbWsUpXGWHgnsiU28Myztu2NGMsq0fjjVQGS+4Ak/O0v3ump9wsnnOql672lTmz9TtSHNRx3N7Tk9W5q0sMU/QFJb6ngFboxHBa87hTkICU/3D8fvAGpBNcmYkIu75An56usbREpQBsYIfomhH7UBjmDRZTUVu3w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by SN7PR11MB6874.namprd11.prod.outlook.com (2603:10b6:806:2a5::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.26; Thu, 1 Feb 2024 19:42:11 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7249.024; Thu, 1 Feb 2024 19:42:11 +0000 From: "Saloni Kasbekar" To: "Douglas Flick [MSFT]" , "devel@edk2.groups.io" CC: "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch Thread-Topic: [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch Thread-Index: AQHaT+Mvq5Q6DqcdN0mjmQYWH3RdVbD17Xxg Date: Thu, 1 Feb 2024 19:42:11 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|SN7PR11MB6874:EE_ x-ms-office365-filtering-correlation-id: 41fe93f7-f256-40dd-9c3f-08dc235de27f x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: 8t/EqwtEgVPLcc/kUcBjwaXHeHkbmr1oPIZlAWyBVvZHRgnabUbHzJw1J6b7N6i3PUfUNohn1mj7Z+cENN4BxZXELOnGFAmgT0yLP/1xJeytlnlrRGHdHPD2zP1Cbp2t6n7flFx5co3DPRZwNrl3u7lnZnunt8FVaAL8+ib86Wv1++DkcxLiWK4kGmEmhXVgpulppAFDT1Zpvg0+X+YjrmV3dDUN0NegJpuwTUpHkPmQPcNWXWffJ6ZuL/SC5sIPmV9iw9ZFUdEdKPCus3l1Q5H+he7f9aoLNAqtOTeM8eYZchy6tiXF1CXgrqe8LtWHuApA6HzfxrjdPM3mvKB1PSrKWw/pxi2cIcAZJdF8SazX0pZNEnL0bmOG3g8HtLopWBO4RDftCPXtR/A7AHmmOQebTUJBQ1F1LsPaRk4Cs4lKKXwbNSLPSFt0edwVwiJP2YLOUFaN1d1agvhXf+wLM68XstSPHEHtZrzEuMGgZyYOMS8nH8+4kpyu8fhPgMpl3xOhPsSX9Z9fpj+gmglCD29wM4jqnnqWr2/SvUQy7Fjlj8dugvjHCcISeG3uOq5fZ1zR8uGLtXKqJDBeAEgF6JMo8PLeNXgZGKLa270YVBy5VreWqfJ3loISeWzYaNVN x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?gqRJlLTggahttpnTA/Nr/CCHMRWqYdubN0sCtsZyqk64UPvGRTSIUYnOHY00?= =?us-ascii?Q?/RlWdPEr/5WEDnd9+ijqEgdAae2orKf6LzbqpNvHSjrefHggnqQYGu556pRt?= =?us-ascii?Q?N6V39dPl41KYPOdow5z/pCoSQh6W3xqZdmcrAzpTZtcfEC3atkHoKLMPNETa?= =?us-ascii?Q?BPqNVrrxcp/hD2neaCGfgAoPCddisLpt0pqn4tXF22KDpgZbuIgENwIF2xEg?= =?us-ascii?Q?2vk05WVGsC5Rn5tI1jxUwKwAo0Iz1hzaNdAh2DIXhHiXAjvlkfSKUWIa4aaE?= =?us-ascii?Q?t5HGGbjW+AOyLnEnfHn6WDgEVrnd8bDLJ+bgXyveLLPVvyYjKp8LmQ0dYFyv?= =?us-ascii?Q?NWeoy5ucuUxfuj6yxU51xJLOH9KdlTZq70se2KRBbmSPm3pIIdw9c4j6jXtJ?= =?us-ascii?Q?nHWtTcJUREijIM6hGwJVk3h4cjFb91xu1QO6C6h4u+p7Tk4x8Es3UbqUUp2B?= =?us-ascii?Q?6O1b4KepxgC+ZHL+zbqsvdLvNBI/vAep4nfQkMh/Kv/4UU6bmdu75GvkXA3J?= =?us-ascii?Q?wvuVZhWUlYnjtn0u6YsXbD8He3RjQR9tDGAipfF7xtRHq1OX4u1mAahW8bLO?= =?us-ascii?Q?rNtA7TAWP2iaHK+2KvmcEiKL3iLG4jEuY3jCgMlgnMBqXvSV1ZiIX7Hg6IIg?= =?us-ascii?Q?z17dUDpbOFlGFHLtPlYFHYYY5afj7fcQ4lpfunf+OAb7SWjRN8n/oiBjBAbQ?= =?us-ascii?Q?/xAuCJyOl0Ze+5yv1izszekIglbJZofA4ymdGd5AcJrRQ2O4XRKcZRTTHbJ0?= =?us-ascii?Q?CqnotAtgYVEDWfm35PK+WzLRmHAjo3rmPEG5z4qFjT22f9wNk3IW+iKPHF2u?= =?us-ascii?Q?zeN94/ll5fgQ7q9n6F6fj6K4TtahN9sr9xhjJBefcQ+SRb0XePbkiMYvW85l?= =?us-ascii?Q?1Rhdxv2V7elTIWdgmrcsupPNo3eGru9jvA0vtJBN8DWHQyF7YzvdRRJVvdb4?= =?us-ascii?Q?HAQ4V/CSI+bqtRtt/WgAY3OnpEqbzenkFBSVuUqZiLTPylspWvwrCy5ljl27?= =?us-ascii?Q?F2vT+Lc9qkBy5TsUk+PAx9Ctp4Q4LBE8a9VRYat34NmYLeOnza8GwkraiA0m?= =?us-ascii?Q?hDDfNYpS/FQlVWfeN824cByZ5njXcZfC5L01gXmeGcYE3zc6H0303/NqKZ9/?= =?us-ascii?Q?bOBntD4+8RUrSqr9q32exNNfbqRLwX9hqI6xY07AdksQYqTzh0BqN4fJ1Nnl?= =?us-ascii?Q?PFP5Ah4cHkxa5vVMq6STRSm8F279eQ8OfNEHmq4ZQiL81k2COv6ZEfP8TyK5?= =?us-ascii?Q?XyGaNyaJmCMLfY2NU6FTFrrvlLSqLpsTt6waFkuImawvzqt3GZDt4lS8R2W8?= =?us-ascii?Q?Dal7Tsz2K4CRnXt4X/9BbOiKZVWZoCNDUuXu5wpIx2hrlAu57SR537BdcXiF?= =?us-ascii?Q?HT1cjHTZCS+Ud96BvSfHe7wmQHspthw5spR/8HBvPEbycVst2/KhxIEZn2KF?= =?us-ascii?Q?oAxCqZSYap78UV34plghYCELYuNheM8pSqMPSyo50KeK/oDb+e/L2DGfLQ8f?= =?us-ascii?Q?IZti6wByMAYL+u4XIo68G+BX+xoeQQ07rAXOAaMdjrHOr1IDfeoC1pIoOrat?= =?us-ascii?Q?uUVe4OMuANh8NkMIq2Dt7+EVBr9YKPkjJG1JJDWe?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 41fe93f7-f256-40dd-9c3f-08dc235de27f X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2024 19:42:11.8238 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LoXzhTpTCuwZMdLRg+WSTxWdj5vvSj+AVmMtyciSCFP7d5TY5+2B8MLX3BFlQTYmcLE+p+8aZ5HQBbuTEyjx68s6P+9zMbiLiGm3pnSnGcc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB6874 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 2Fn9E1MvzRBnOxJMDUyFkFRUx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=s99ST8ez; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Reviewed-by: Saloni Kasbekar -----Original Message----- From: Douglas Flick [MSFT] =20 Sent: Thursday, January 25, 2024 1:55 PM To: devel@edk2.groups.io Cc: Douglas Flick [MSFT] ; Kasbekar, Saloni ; Clark-williams, Zachary Subject: [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-452= 29 Patch REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534 Bug Details: PixieFail Bug #1 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Change Overview: Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking the= Inner Option from a DHCP6 Option. > > EFI_STATUS > Dhcp6SeekInnerOptionSafe ( > IN UINT16 IaType, > IN UINT8 *Option, > IN UINT32 OptionLen, > OUT UINT8 **IaInnerOpt, > OUT UINT16 *IaInnerLen > ); > Lots of code cleanup to improve code readability. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 138 +++++++++++++++++++--- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 203 +++++++++++++++++++++----------- 2 files changed, 256 insertions(+), 85 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Imp= l.h index f2422c2f2827..220e7c68f11b 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h @@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #defin= e DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') +#define DHCP= 6_PACKET_ALL 0+#define DHCP6_PACKET_STATEFUL 1+#define DHCP6_PACKE= T_STATELESS 2++#define DHCP6_BASE_PACKET_SIZE 1024++#define DHCP6_PORT_CL= IENT 546+#define DHCP6_PORT_SERVER 547++#define DHCP_CHECK_MEDIA_WAITING_= TIME EFI_TIMER_PERIOD_SECONDS(20)++#define DHCP6_INSTANCE_FROM_THIS(Instan= ce) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)+#defi= ne DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, Servic= eBinding, DHCP6_SERVICE_SIGNATURE)+ // // For more information on DHCP opti= ons see RFC 8415, Section 21.1 //@@ -59,12 +73,10 @@ typedef struct _DHCP6_= INSTANCE DHCP6_INSTANCE; // | (option-len octets) | //= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ //-#d= efine DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))-#define DHCP6_SIZE_OF_OPT_LE= N (sizeof(UINT16))+#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_P= ACKET_OPTION *)0)->OpCode))+#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_= DHCP6_PACKET_OPTION *)0)->OpLen)) -// // Combined size of Code and Length-/= / #define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ = DHCP6_SIZE_OF_OPT_LEN) @@ -73= ,34 +85,122 @@ STATIC_ASSERT ( "Combined size of Code and Length must be 4 per RFC 8415" ); -// // Of= fset to the length is just past the code-//-#define DHCP6_OPT_LEN_OFFSET(a)= (a + DHCP6_SIZE_OF_OPT_CODE)+#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHC= P6_SIZE_OF_OPT_CODE) STATIC_ASSERT (- DHCP6_OPT_LEN_OFFSET (0) =3D=3D 2,+ = DHCP6_OFFSET_OF_OPT_LEN (0) =3D=3D 2, "Offset of length is + 2 past star= t of option" ); -#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COM= BINED_CODE_AND_LEN)+#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF= _COMBINED_CODE_AND_LEN) STATIC_ASSERT (- DHCP6_OPT_DATA_OFFSET (0) =3D=3D = 4,+ DHCP6_OFFSET_OF_OPT_DATA (0) =3D=3D 4, "Offset to option data should= be +4 from start of option" );+//+// Identity Association options (both = NA (Non-Temporary) and TA (Temporary Association))+// are defined in RFC 84= 15 and are a deriviation of a TLV stucture+// For more information on IA_NA= see Section 21.4+// For more information on IA_TA see Section 21.5+//+//+/= / The format of IA_NA and IA_TA option:+//+// 0 1 2 3 4 5 6 7 8 9 0 1 = 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | OPTION_IA_NA = | option-len |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | IAID (4 octet= s) |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-++// | T1 (only for IA_NA)= |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-++// | T2 (only for IA_NA) = |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-++// | = |+// . IA_NA-options/IA_TA-options = .+// . = .+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= +//+#define DHCP6_SIZE_OF_IAID (sizeof(UINT32))+#define DHCP6_SIZ= E_OF_TIME_INTERVAL (sizeof(UINT32)) -#define DHCP6_PACKET_ALL 0-#de= fine DHCP6_PACKET_STATEFUL 1-#define DHCP6_PACKET_STATELESS 2+// Combine= d size of IAID, T1, and T2+#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP= 6_SIZE_OF_IAID + \+ DHCP6_SIZE_= OF_TIME_INTERVAL + \+ DHCP6_SIZE= _OF_TIME_INTERVAL)+STATIC_ASSERT (+ DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 =3D= =3D 12,+ "Combined size of IAID, T1, T2 must be 12 per RFC 8415"+ ); -#de= fine DHCP6_BASE_PACKET_SIZE 1024+// This is the size of IA_TA without opti= ons+#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN += \+ DHCP6_SIZE_OF_IAID)+STATIC_ASSERT (+ = DHCP6_MIN_SIZE_OF_IA_TA =3D=3D 8,+ "Minimum combined size of IA_TA per RFC= 8415"+ ); -#define DHCP6_PORT_CLIENT 546-#define DHCP6_PORT_SERVER 547+= // Offset to a IA_TA inner option+#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a= ) (a + DHCP6_MIN_SIZE_OF_IA_TA)+STATIC_ASSERT (+ DHCP6_OFFSET_OF_IA_TA_IN= NER_OPT (0) =3D=3D 8,+ "Offset of IA_TA Inner option is + 8 past start of = option"+ ); -#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECON= DS(20)+// This is the size of IA_NA without options (16)+#define DHCP6_MIN_= SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \+ = DHCP6_SIZE_OF_COMBINED_IAID_T1_T2+STATIC_ASSERT (+ DHCP6_MIN_= SIZE_OF_IA_NA =3D=3D 16,+ "Minimum combined size of IA_TA per RFC 8415"+ = ); -#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTA= NCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)-#define DHCP6_SERVICE_FROM_THIS(Servi= ce) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATUR= E)+#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA= )+STATIC_ASSERT (+ DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) =3D=3D 16,+ "Offse= t of IA_NA Inner option is + 16 past start of option"+ );++#define DHCP6_O= FFSET_OF_IA_NA_T1(a) (a + \+ DHCP6_SIZE_= OF_COMBINED_CODE_AND_LEN + \+ DHCP6_SIZE_= OF_IAID)+STATIC_ASSERT (+ DHCP6_OFFSET_OF_IA_NA_T1 (0) =3D=3D 8,+ "Offset= of IA_NA Inner option is + 8 past start of option"+ );++#define DHCP6_OFF= SET_OF_IA_NA_T2(a) (a + \+ DHCP6_SIZE_OF= _COMBINED_CODE_AND_LEN +\+ DHCP6_SIZE_OF_= IAID + \+ DHCP6_SIZE_OF_TIME_INTERVAL)+ST= ATIC_ASSERT (+ DHCP6_OFFSET_OF_IA_NA_T2 (0) =3D=3D 12,+ "Offset of IA_NA = Inner option is + 12 past start of option"+ );++//+// For more information= see RFC 8415 Section 21.13+//+// The format of the Status Code Option:+//+= // 0 1 2 3+// = 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+// +-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | = OPTION_STATUS_CODE | option-len |+// +-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | st= atus-code | |+// +-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+ |+// . = .+// . = status-message .+// . = .+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++//+#define DHCP6_OFFSET_OF_STATUS_COD= E(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)+STATIC_ASSERT (+ DHCP6_OFF= SET_OF_STATUS_CODE (0) =3D=3D 4,+ "Offset of status is + 4 past start of o= ption"+ ); extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress; ext= ern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate;diff --git a/NetworkPkg/Dhcp= 6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index bf5aa7a769de..89d16484a568 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -598,8 +598,8 @@ Dhcp6UpdateIaInfo ( // The inner options still start with 2 bytes option-code and 2 bytes op= tion-len. // if (Instance->Config->IaDescriptor.Type =3D=3D Dhcp6OptIan= a) {- T1 =3D NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 8)));- T2 = =3D NTOHL (ReadUnaligned32 ((UINT32 *)(Option + 12)));+ T1 =3D NTOHL (Re= adUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));+ T2 =3D = NTOHL (ReadUnaligned32 ((UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option)))); = // // Refer to RFC3155 Chapter 22.4. If a client receives an IA_NA wi= th T1 greater than T2, // and both T1 and T2 are greater than 0, the cl= ient discards the IA_NA option and processes@@ -609,13 +609,14 @@ Dhcp6Upda= teIaInfo ( return EFI_DEVICE_ERROR; } - IaInnerOpt =3D Option + 16;- = IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - = 12);+ IaInnerOpt =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);+ IaInn= erLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_L= EN (Option)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2); } else {- T1 = =3D 0;- T2 =3D 0;- IaInnerOpt =3D Option + 8;- IaInner= Len =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 2))) - 4);+ = T1 =3D 0;+ T2 =3D 0;++ IaInnerOpt =3D DHCP6_OFFSET_OF_IA_TA_INNER_OP= T (Option);+ IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(= DHCP6_OFFSET_OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID); } //@@ -641= ,7 +642,7 @@ Dhcp6UpdateIaInfo ( Option =3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode)= ; if (Option !=3D NULL) {- StsCode =3D NTOHS (ReadUnaligned16 ((UINT1= 6 *)(Option + 4)));+ StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP= 6_OFFSET_OF_OPT_LEN (Option)))); if (StsCode !=3D Dhcp6StsSuccess) { = return EFI_DEVICE_ERROR; }@@ -661,6 +662,87 @@ Dhcp6UpdateIaInfo ( return Status; } +/**+ Seeks the Inner Options from a DHCP6 Option++ @= param[in] IaType The type of the IA option.+ @param[in] Option = The pointer to the DHCP6 Option.+ @param[in] OptionLen The= length of the DHCP6 Option.+ @param[out] IaInnerOpt The pointer to t= he IA inner option.+ @param[out] IaInnerLen The length of the IA inne= r option.++ @retval EFI_SUCCESS Seek the inner option successfully= .+ @retval EFI_DEVICE_ERROR The OptionLen is invalid. On Error,+ = the pointers are not modified+**/+EFI_STATUS+Dhcp6Se= ekInnerOptionSafe (+ IN UINT16 IaType,+ IN UINT8 *Option,+ IN UINT= 32 OptionLen,+ OUT UINT8 **IaInnerOpt,+ OUT UINT16 *IaInnerLen+ )+{+= UINT16 IaInnerLenTmp;+ UINT8 *IaInnerOptTmp;++ if (Option =3D=3D NUL= L) {+ ASSERT (Option !=3D NULL);+ return EFI_DEVICE_ERROR;+ }++ if = (IaInnerOpt =3D=3D NULL) {+ ASSERT (IaInnerOpt !=3D NULL);+ return EF= I_DEVICE_ERROR;+ }++ if (IaInnerLen =3D=3D NULL) {+ ASSERT (IaInnerLen= !=3D NULL);+ return EFI_DEVICE_ERROR;+ }++ if (IaType =3D=3D Dhcp6Opt= Iana) {+ // Verify we have a fully formed IA_NA+ if (OptionLen < DHCP= 6_MIN_SIZE_OF_IA_NA) {+ return EFI_DEVICE_ERROR;+ }++ //+ IaI= nnerOptTmp =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);++ // Verify the= IaInnerLen is valid.+ IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned16 = ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Option)));+ if (IaInnerLenTmp < DHCP= 6_SIZE_OF_COMBINED_IAID_T1_T2) {+ return EFI_DEVICE_ERROR;+ }++ = IaInnerLenTmp -=3D DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;+ } else if (IaType = =3D=3D Dhcp6OptIata) {+ // Verify the OptionLen is valid.+ if (Option= Len < DHCP6_MIN_SIZE_OF_IA_TA) {+ return EFI_DEVICE_ERROR;+ }++ = IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);++ // Verify = the IaInnerLen is valid.+ IaInnerLenTmp =3D (UINT16)NTOHS (ReadUnaligned= 16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));+ if (IaInnerLenTmp <= DHCP6_SIZE_OF_IAID) {+ return EFI_DEVICE_ERROR;+ }++ IaInnerLen= Tmp -=3D DHCP6_SIZE_OF_IAID;+ } else {+ return EFI_DEVICE_ERROR;+ }++ = *IaInnerOpt =3D IaInnerOptTmp;+ *IaInnerLen =3D IaInnerLenTmp;++ return = EFI_SUCCESS;+}+ /** Seek StatusCode Option in package. A Status Code opti= on may appear in the options field of a DHCP message and/or in the option= s field of another option.@@ -684,6 +766,12 @@ Dhcp6SeekStsOption ( UINT8 *IaInnerOpt; UINT16 IaInnerLen; UINT16 StsCode;+ UINT32 = OptionLen;++ // OptionLen is the length of the Options excluding the DHCP = header.+ // Length of the EFI_DHCP6_PACKET from the first byte of the Head= er field to the last+ // byte of the Option[] field.+ OptionLen =3D Packe= t->Length - sizeof (Packet->Dhcp6.Header); // // Seek StatusCode optio= n directly in DHCP message body. That is, search in@@ -691,12 +779,12 @@ Dh= cp6SeekStsOption ( // *Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option,- = Packet->Length - 4,+ OptionLen, Dhc= p6OptStatusCode ); if (*Option !=3D NULL) {- StsCode = =3D NTOHS (ReadUnaligned16 ((UINT16 *)(*Option + 4)));+ StsCode =3D NTOH= S (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (*Option)))); = if (StsCode !=3D Dhcp6StsSuccess) { return EFI_DEVICE_ERROR; }@= @ -707,7 +795,7 @@ Dhcp6SeekStsOption ( // *Option =3D Dhcp6SeekIaOption ( Packet->Dhcp6.Option,= - Packet->Length - sizeof (EFI_DHCP6_HEADER),+ Op= tionLen, &Instance->Config->IaDescriptor ); i= f (*Option =3D=3D NULL) {@@ -715,52 +803,35 @@ Dhcp6SeekStsOption ( } //- // The format of the IA_NA option is:+ // Calculate the dista= nce from Packet->Dhcp6.Option to the IA option. //- // 0 = 1 2 3- // 0 1 2 3 4 5 6 7 8= 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1- // +-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | OPTION_IA_= NA | option-len |- // +-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | = IAID (4 octets) |- // +-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | = T1 |- // +-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | = T2 |- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | = |- // . IA_N= A-options .- // . = .- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++ // Packet->Size and Packet->Length are = both UINT32 type, and Packet->Size is+ // the size of the whole packet, in= cluding the DHCP header, and Packet->Length+ // is the length of the DHCP = message body, excluding the DHCP header. //- // The format of the IA_TA = option is:+ // (*Option - Packet->Dhcp6.Option) is the number of bytes fro= m the start of+ // DHCP6 option area to the start of the IA option. //- = // 0 1 2 3- // = 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1- // = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // = | OPTION_IA_TA | option-len |- // += -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | = IAID (4 octets) |- // +-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- // | = |- // . = IA_TA-options .- // . = .- // +-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++ // Dhcp6SeekIn= nerOptionSafe() is searching starting from the start of the+ // IA option = to the end of the DHCP6 option area, thus subtract the space+ // up until = this option //+ OptionLen =3D OptionLen - (*Option - Packet->Dhcp6.Optio= n); //- // sizeof (option-code + option-len + IaId) =3D 8- /= / sizeof (option-code + option-len + IaId + T1) =3D 12- // sizeof (op= tion-code + option-len + IaId + T1 + T2) =3D 16+ // Seek the inner option = //- // The inner options still start with 2 bytes option-code and 2 byte= s option-len.- //- if (Instance->Config->IaDescriptor.Type =3D=3D Dhcp6Op= tIana) {- IaInnerOpt =3D *Option + 16;- IaInnerLen =3D (UINT16)(NTOHS= (ReadUnaligned16 ((UINT16 *)(*Option + 2))) - 12);- } else {- IaInnerO= pt =3D *Option + 8;- IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UI= NT16 *)(*Option + 2))) - 4);+ if (EFI_ERROR (+ Dhcp6SeekInnerOption= Safe (+ Instance->Config->IaDescriptor.Type,+ *Option,+ = OptionLen,+ &IaInnerOpt,+ &IaInnerLen+ )= + ))+ {+ return EFI_DEVICE_ERROR; } //@@ -784,7 +855,7 @@ D= hcp6SeekStsOption ( // *Option =3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatus= Code); if (*Option !=3D NULL) {- StsCode =3D NTOHS (ReadUnaligned16 ((= UINT16 *)(*Option + 4)));+ StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *= )((DHCP6_OFFSET_OF_STATUS_CODE (*Option))))); if (StsCode !=3D Dhcp6Sts= Success) { return EFI_DEVICE_ERROR; }@@ -1105,7 +1176,7 @@ Dhcp6S= endRequestMsg ( // Option =3D Dhcp6SeekOption ( Instance->AdSelect->Dhcp6= .Option,- Instance->AdSelect->Length - 4,+ Instance= ->AdSelect->Length - sizeof (EFI_DHCP6_HEADER), Dhcp6OptServer= Id ); if (Option =3D=3D NULL) {@@ -1289,7 +1360,7 @@ Dhcp6Se= ndDeclineMsg ( // Option =3D Dhcp6SeekOption ( LastReply->Dhcp6.Option,-= LastReply->Length - 4,+ LastReply->Length - sizeof= (EFI_DHCP6_HEADER), Dhcp6OptServerId ); if (Op= tion =3D=3D NULL) {@@ -1448,7 +1519,7 @@ Dhcp6SendReleaseMsg ( // Option =3D Dhcp6SeekOption ( LastReply->Dhcp6.Option,-= LastReply->Length - 4,+ LastReply->Length - sizeof= (EFI_DHCP6_HEADER), Dhcp6OptServerId ); if (Op= tion =3D=3D NULL) {@@ -1673,7 +1744,7 @@ Dhcp6SendRenewRebindMsg ( Option =3D Dhcp6SeekOption ( LastReply->Dhcp6.Option,-= LastReply->Length - 4,+ LastReply->Length - si= zeof (EFI_DHCP6_HEADER), Dhcp6OptServerId ); = if (Option =3D=3D NULL) {@@ -2208,7 +2279,7 @@ Dhcp6HandleReplyMsg ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option,- = Packet->Length - 4,+ Packet->Length - sizeof (EFI_DHC= P6_HEADER), Dhcp6OptRapidCommit ); @@ -2354,7 +24= 25,7 @@ Dhcp6HandleReplyMsg ( // // Any error status code option is found. //- StsCode = =3D NTOHS (ReadUnaligned16 ((UINT16 *)(Option + 4)));+ StsCode =3D NTOHS= (ReadUnaligned16 ((UINT16 *)((DHCP6_OFFSET_OF_STATUS_CODE (Option))))); = switch (StsCode) { case Dhcp6StsUnspecFail: //@@ -2487,7 +2= 558,7 @@ Dhcp6SelectAdvertiseMsg ( // Option =3D Dhcp6SeekOption ( AdSelect->Dhcp6.Option,- = AdSelect->Length - 4,+ AdSelect->Length - sizeof (E= FI_DHCP6_HEADER), Dhcp6OptServerUnicast ); @@ -24= 98,7 +2569,7 @@ Dhcp6SelectAdvertiseMsg ( return EFI_OUT_OF_RESOURCES; } - CopyMem (Instance->Unicast, = Option + 4, sizeof (EFI_IPv6_ADDRESS));+ CopyMem (Instance->Unicast, DHC= P6_OFFSET_OF_OPT_DATA (Option), sizeof (EFI_IPv6_ADDRESS)); } //@@ -25= 51,7 +2622,7 @@ Dhcp6HandleAdvertiseMsg ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option,- = Packet->Length - 4,+ Packet->Length - sizeof (EFI_DHC= P6_HEADER), Dhcp6OptRapidCommit ); @@ -2645,7 +27= 16,7 @@ Dhcp6HandleAdvertiseMsg ( CopyMem (Instance->AdSelect, Packet, Packet->Size); if (Optio= n !=3D NULL) {- Instance->AdPref =3D *(Option + 4);+ Instance= ->AdPref =3D *(DHCP6_OFFSET_OF_OPT_DATA (Option)); } } else { = //@@ -2714,11 +2785,11 @@ Dhcp6HandleStateful ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option,- = Packet->Length - 4,+ Packet->Length - DHCP6_SIZE_OF_C= OMBINED_CODE_AND_LEN, Dhcp6OptClientId ); - if (= (Option =3D=3D NULL) || (CompareMem (Option + 4, ClientId->Duid, ClientId->= Length) !=3D 0)) {+ if ((Option =3D=3D NULL) || (CompareMem (DHCP6_OFFSET_= OF_OPT_DATA (Option), ClientId->Duid, ClientId->Length) !=3D 0)) { goto= ON_CONTINUE; } @@ -2727,7 +2798,7 @@ Dhcp6HandleStateful ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option,- = Packet->Length - 4,+ Packet->Length - DHCP6_SIZE_OF_C= OMBINED_CODE_AND_LEN, Dhcp6OptServerId ); @@ -283= 2,7 +2903,7 @@ Dhcp6HandleStateless ( // Option =3D Dhcp6SeekOption ( Packet->Dhcp6.Option,- = Packet->Length - 4,+ Packet->Length - sizeof (EFI_DHC= P6_HEADER), Dhcp6OptServerId ); --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114958): https://edk2.groups.io/g/devel/message/114958 Mute This Topic: https://groups.io/mt/103964979/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-