From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+115420+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 6DDE2941E5D
	for <rebecca@openfw.io>; Tue, 13 Feb 2024 21:51:40 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=CRaFmn5Mfo6WxaDwnngUqNLTg0ihacuKUDJqSyqF8fE=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1707861098; v=1;
 b=AUccwMDAwBQD/YoEV1nBG2UpIjIuZNlNBiciW761OCnYJES+p2BlGZUME1FRBi5E96++S5hw
 FQjNqrgABxB7/dUuPU14exRbJHSr+LbijSXV5Vb4z0JQovp6BspsTfQ8tzHQywmpm4uZ0lkN4hW
 gA338todsZN39Ro2HA0xw03M=
X-Received: by 127.0.0.2 with SMTP id 6FFzYY7687511xqBLf110Kbm; Tue, 13 Feb 2024 13:51:38 -0800
X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7])
 by mx.groups.io with SMTP id smtpd.web11.26392.1707861098218094034
 for <devel@edk2.groups.io>;
 Tue, 13 Feb 2024 13:51:38 -0800
X-IronPort-AV: E=McAfee;i="6600,9927,10982"; a="27335031"
X-IronPort-AV: E=Sophos;i="6.06,158,1705392000"; 
   d="scan'208";a="27335031"
X-Received: from fmviesa006.fm.intel.com ([10.60.135.146])
  by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Feb 2024 13:51:38 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.06,158,1705392000"; 
   d="scan'208";a="3305993"
X-Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81])
  by fmviesa006.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 13 Feb 2024 13:51:38 -0800
X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by
 fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35; Tue, 13 Feb 2024 13:51:37 -0800
X-Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by
 fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35 via Frontend Transport; Tue, 13 Feb 2024 13:51:37 -0800
X-Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.100)
 by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.35; Tue, 13 Feb 2024 13:51:37 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=PefuPF3Wal3OD9Ew720hljappd2W5TpA4oKoqDDAeCXb14Xgl6/51eCo4Sqk8GgZxwnmOX5ajkLOtuEpTPETJOByjdoTBiaKWpBToMFTFjY8DdZOR6pzGe7eXclpmokIndTneVZnZGlsPPhp/Ajx84k1iV9vD55PpkyEGrbrN9Zk8RKVCV9V8ZIY3BcI7DVqnrioX7ASiTt3kVfTawUi5ZgASeOI+ugLy+Ls7MX2tSQRcfrzowGQaX0gcy2gv87Vk+dytQc5Dv+rHJnYwgBOiI7SM1HakNLPUFECf4HUTm1Wy55VC/9J0fF4dbQu1JrUt3/xBmESdzEj9NaqjNk9sg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=TY8MfRMZtsKABdR0MBsLAqb45guVHvIVX5TrapLDZV0=;
 b=FC9gXVX3jFpEErZO0E8uwMXjCJuCVQ0oowGjAZBx94I1Fijwa6ucOJq1QgjTON0/ztl7sP0RoYX/ClVfFYfMlsjdIArD0dDH7k30wqeD2sX20DuBy6TbvleYmBmyuq0Mpb//UUr3avlhVWU7nEgykyDtEW/NdWUNHysa6D4mikaDFDpGR5zCIMclm4t9qu/TdxrtMtjN8/Mgcr1I8HI4Yp9QZErDUVxQpT5A1qji2iHx6xzidFn7FDgniQfn+sHzKDDm7EVN/BPUzhsncf77aaJCRIlmoCUoahGkNu6cuFPMMfxr4bgYPZlkIx62URwZoajFsfkww8hAw3N9k52XbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20)
 by PH7PR11MB7594.namprd11.prod.outlook.com (2603:10b6:510:268::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.39; Tue, 13 Feb
 2024 21:51:34 +0000
X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com
 ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com
 ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7270.036; Tue, 13 Feb 2024
 21:51:34 +0000
From: "Saloni Kasbekar" <saloni.kasbekar@intel.com>
To: Doug Flick <doug.edk2@gmail.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: Doug Flick <dougflick@microsoft.com>, "Clark-williams, Zachary"
	<zachary.clark-williams@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 1/4] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch
Thread-Topic: [PATCH v2 1/4] NetworkPkg: Dhcp6Dxe: SECURITY PATCH
 CVE-2023-45229 Related Patch
Thread-Index: AQHaXrScmChIjeCZj0yIvtL5fohQYrEIz1hQ
Date: Tue, 13 Feb 2024 21:51:34 +0000
Message-ID: <SN7PR11MB82815713B5A242B4431F8DD0F14F2@SN7PR11MB8281.namprd11.prod.outlook.com>
References: <20240213184603.2985-1-doug.edk2@gmail.com>
 <20240213184603.2985-2-doug.edk2@gmail.com>
In-Reply-To: <20240213184603.2985-2-doug.edk2@gmail.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|PH7PR11MB7594:EE_
x-ms-office365-filtering-correlation-id: 89632133-44ee-4143-6151-08dc2cddf28b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam-message-info: PNMBL7EJjDHoQ5S76DZsVP6qOQg+BU476WryIIm2lKsoyNq42+gPBQl6PraZIX92j2+ejuHqC603pNFQQ2o70nfYgZFHWzZoGHfoPlOL5g3zAz4/RD2eec02QxAdNC8X65Th1d2unDzabnvymApx3p8zG3PCxXjvZG8+s4DpjV953Q5fy0+QcMsxBkOsoygTXA+JkHdgqfFWNE88J1P3dXYbm55K1OjppQ43gilulsIjc2jsBashj++qRYKnXbFv18VWLlEhCmooOeNUSMow4rKLVnhX4oRGaNhD7rSk+gt1SnSLQ3O0YRAtLBNTO1n/9fILDiCBJM2MhyihZ83iIWRXdOwk+mEkEBnTmXpcfvo5ntyZJGbsAGg7NLLi/yp90VrU77c1VwuUfDV+PIpt99U4hnS+XEfr1HpqI6ycbGE8ipHJ+XOaV/KqpBSq7rZPEdS4EdJ3Axt6O/6tz8RWlIbpHZcXxSUliatl2j9qbg3EbfaNF8Bp9Wl5mh9X4JtNzKD40a9wMZIxbYgkkiuNjnztDdilqXAbAK1+oi53lmMW+kOqqZnKqMuLhNWTJI+vQPnp2yX7Y8GWeBD0cC30573tGrC+0AotN3jO+FeFNTrLi8ADwV8+evUlb6zvk7Ac2aMVjNyaP4ElLJu5O3TjSw==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?zcMp1Z7n4N3ImCq8Mt44lhgXZ10lRAR0fUpYEfXR5t4SHswg7i6Z5kd6yFkk?=
 =?us-ascii?Q?CNMrpHFigDc2Swzklq/UOCDP21iZVPyy1thuCytm5G8OWZueHrLIi9koUVqv?=
 =?us-ascii?Q?Si2F+odKDjo1ZYN5QDYI0nHWnGcmQZdoteBY0XHQDjOhTe/asFqaghLmzzO9?=
 =?us-ascii?Q?TBSMgtLx0ms6TV2FHb+1+xVmrj0uOyGafxbJnmN0dTz1p4110H0bnR1WzyA4?=
 =?us-ascii?Q?kQJuOOM7zxZbGWgbN/wbF9qNvQtXMc5KMdK+jFr37XFY0gRqk0K8eMJz50VT?=
 =?us-ascii?Q?3PycLnRUDjbE4v333tyigdhghXqHX8EKoNFrFqEKa5LwN4b46FpNdTdae6WU?=
 =?us-ascii?Q?hogfHxtxfWH5BIgBVyDsezEsoE8ZuzxgQ3sjL/cxIc8sSqSH5K9EGZflzXVm?=
 =?us-ascii?Q?vH93OAs8rnUUxDEHdvfQtIOXDKUwUq7zAiysVObYWWgrgBJ3bhNLQQyM2hBU?=
 =?us-ascii?Q?JgKC5MM/QfTvybhuxwx5AS2cLC4YgknoOWZ2VNoUXXVM5yrMds1z1tUzjAhE?=
 =?us-ascii?Q?2+zWviXVR5RgYI4MQRDw2ZQ1CF1dd//V1eSKRP2fUfYP2BK43BWbVR2CnsTt?=
 =?us-ascii?Q?SNTKAU/E24vNZu/lLJitXdS0F20zbBtdc+eOLYxaMvBw8rNiEoLVdRE9/wsC?=
 =?us-ascii?Q?vT2yFoBv9wu71GKSwBnWwDhlSVavXQouFyE6bOJQr3bcR/u9YYSa2DCHNPrq?=
 =?us-ascii?Q?+pw3f2FmaJaZZE6MXjba48bKmcyfJ2k1nlNSmqyDGRN/Lw+hXFFS4IBp/o4H?=
 =?us-ascii?Q?/soZa7dN7ovU/dYaguYX7478s2kIbLY2rTvHUnzLKb3kB/pR+4I5U9ljCZVH?=
 =?us-ascii?Q?tNWRMKrm2mNyRGyVmXhS/+PDPJJGPwtbbaWHPJ8enzsASR/2yQAI02pYUx5n?=
 =?us-ascii?Q?IuZIDHOTfUwpgY46KYdyUvHTKzP/jX9tlvtUJvokzPtACv9HC2Zh4uPRc1ch?=
 =?us-ascii?Q?ui59PiFLypiEN0IxPX/jPgFXb8GZHuGdA7OPAr1yQ+C56GLd8hSKmPBmZJax?=
 =?us-ascii?Q?p9lf0hyGKjNEnvqyzx4wx6NytyMXpvFCkmA+Ptkw6HEzlh0WfFElMNfO9OFv?=
 =?us-ascii?Q?EML65jmcAGjNQKXfv8yVVmKogYEcY+8bhSPShmV6HqbWLsLLYFdoBbNMpKyP?=
 =?us-ascii?Q?mUmIH/BVDdFnmaBshiQxwpIrN+L2BNEXmzrR8U7qjlVSLVVLuOG0mSdDAkle?=
 =?us-ascii?Q?VA6CpGUL2G6M+RfaBnMdPBh2CsmYqrtM9wog22yu5bhBDXaYTobhE2s9Gw4g?=
 =?us-ascii?Q?Z2OtALaw2Rc56Rw7np5VanOeQw8btl7SAD/1mNXPniQ30Uw8WqovB5J87eM9?=
 =?us-ascii?Q?k0Nhu715RoN3Ns0EjI0T+DUjY7NedDFZptx6llyAZKWyVGhFo7NZtCL31nBA?=
 =?us-ascii?Q?pDnas2vnwPuH6D+TMOcrZfHLMB+bzECd6J/cJMv/Tv7dF9OMs1X9cJIgDb0b?=
 =?us-ascii?Q?iiOrjyKlOdEEz+GQVIYlKXd1SteMZ7Q7vJzNZIGeMXAkedWH85jEXw6sghdy?=
 =?us-ascii?Q?LdUCMH0YJrZGf90T508Dg8JrdIfQtAdUnuaewsyxzdqXgpAJfnt3QD3l3V3t?=
 =?us-ascii?Q?AGHJJ6bh6ZainVTlgaejBzegy6yUNwGS60D90hyk?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 89632133-44ee-4143-6151-08dc2cddf28b
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2024 21:51:34.7871
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UGLErL3D8XJ46YdgdqIYAeyWXhoA84tsfLsn0TW8zw8Kh+yq2oJ7nfMqPxq8as2AykMcGgSJ4NAPSBDToAIhcU2C8JSeV8TqBzCXZdy2SOc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB7594
X-OriginatorOrg: intel.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: Lfe2Dqjk5D9lAqz1JFtRDS5Ux7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=AUccwMDA;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

Doug,

Thanks! This makes it much easier to read. Could you share the list of test=
s that were done to verify these changes, and if the actual bug was reprodu=
cible with a failing test case that now passes?

Thanks,
Saloni

-----Original Message-----
From: Doug Flick <doug.edk2@gmail.com>=20
Sent: Tuesday, February 13, 2024 10:46 AM
To: devel@edk2.groups.io
Cc: Doug Flick <dougflick@microsoft.com>; Kasbekar, Saloni <saloni.kasbekar=
@intel.com>; Clark-williams, Zachary <zachary.clark-williams@intel.com>; Do=
ug Flick [MSFT] <doug.edk2@gmail.com>
Subject: [PATCH v2 1/4] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229=
 Related Patch

From: Doug Flick <dougflick@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4673
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534

This was not part of the Quarkslab bugs however the same pattern as CVE-202=
3-45229 exists in Dhcp6UpdateIaInfo.

This patch replaces the code in question with the safe function created to =
patch CVE-2023-45229

>
>   if (EFI_ERROR (
>        Dhcp6SeekInnerOptionSafe (
>          Instance->Config->IaDescriptor.Type,
>          Option,
>          OptionLen,
>          &IaInnerOpt,
>          &IaInnerLen
>          )
>        ))
>  {
>    return EFI_DEVICE_ERROR;
>  }
>

Additionally corrects incorrect usage of macro to read the status

> - StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN
 (Option)));
> + StsCode =3D NTOHS (ReadUnaligned16 ((UINT16 *)
DHCP6_OFFSET_OF_STATUS_CODE (Option));

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 NetworkPkg/Dhcp6Dxe/Dhcp6Io.h | 22 ++++++  NetworkPkg/Dhcp6Dxe/Dhcp6Io.c |=
 70 +++++++++++++++-----
 2 files changed, 75 insertions(+), 17 deletions(-)

diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h =
index 051a652f2b1f..ab0e1ac27f10 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.h
@@ -217,4 +217,26 @@ Dhcp6OnTimerTick (
   IN VOID       *Context   ); +/**+  Seeks the Inner Options from a DHCP6 =
Option++  @param[in]  IaType          The type of the IA option.+  @param[i=
n]  Option          The pointer to the DHCP6 Option.+  @param[in]  OptionLe=
n       The length of the DHCP6 Option.+  @param[out] IaInnerOpt      The p=
ointer to the IA inner option.+  @param[out] IaInnerLen      The length of =
the IA inner option.++  @retval EFI_SUCCESS         Seek the inner option s=
uccessfully.+  @retval EFI_DEVICE_ERROR    The OptionLen is invalid. On Err=
or,+                              the pointers are not modified+**/+EFI_STA=
TUS+Dhcp6SeekInnerOptionSafe (+  IN  UINT16  IaType,+  IN  UINT8   *Option,=
+  IN  UINT32  OptionLen,+  OUT UINT8   **IaInnerOpt,+  OUT UINT16  *IaInne=
rLen+  );+ #endifdiff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dh=
cp6Dxe/Dhcp6Io.c
index 3b8feb4a2032..a9bffae353d7 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -528,13 +528,23 @@ Dhcp6UpdateIaInfo (
 {   EFI_STATUS  Status;   UINT8       *Option;+  UINT32      OptionLen;   =
UINT8       *IaInnerOpt;   UINT16      IaInnerLen;   UINT16      StsCode;  =
 UINT32      T1;   UINT32      T2; +  T1 =3D 0;+  T2 =3D 0;+   ASSERT (Inst=
ance->Config !=3D NULL);++  // OptionLen is the length of the Options exclu=
ding the DHCP header.+  // Length of the EFI_DHCP6_PACKET from the first by=
te of the Header field to the last+  // byte of the Option[] field.+  Optio=
nLen =3D Packet->Length - sizeof (Packet->Dhcp6.Header);+   //   // If the =
reply was received in response to a solicit with rapid commit option,   // =
request, renew or rebind message, the client updates the information it has=
@@ -549,13 +559,29 @@ Dhcp6UpdateIaInfo (
   //   Option =3D Dhcp6SeekIaOption (              Packet->Dhcp6.Option,- =
            Packet->Length - sizeof (EFI_DHCP6_HEADER),+             Option=
Len,              &Instance->Config->IaDescriptor              );   if (Opt=
ion =3D=3D NULL) {     return EFI_DEVICE_ERROR;   } +  //+  // Calculate th=
e distance from Packet->Dhcp6.Option to the IA option.+  //+  // Packet->Si=
ze and Packet->Length are both UINT32 type, and Packet->Size is+  // the si=
ze of the whole packet, including the DHCP header, and Packet->Length+  // =
is the length of the DHCP message body, excluding the DHCP header.+  //+  /=
/ (*Option - Packet->Dhcp6.Option) is the number of bytes from the start of=
+  // DHCP6 option area to the start of the IA option.+  //+  // Dhcp6SeekI=
nnerOptionSafe() is searching starting from the start of the+  // IA option=
 to the end of the DHCP6 option area, thus subtract the space+  // up until=
 this option+  //+  OptionLen =3D OptionLen - (UINT32)(Option - Packet->Dhc=
p6.Option);+   //   // The format of the IA_NA option is:   //@@ -591,32 +6=
17,32 @@ Dhcp6UpdateIaInfo (
   //    //-  // sizeof (option-code + option-len + IaId)           =3D 8- =
 // sizeof (option-code + option-len + IaId + T1)      =3D 12-  // sizeof (=
option-code + option-len + IaId + T1 + T2) =3D 16-  //-  // The inner optio=
ns still start with 2 bytes option-code and 2 bytes option-len.+  // Seek t=
he inner option   //+  if (EFI_ERROR (+        Dhcp6SeekInnerOptionSafe (+ =
         Instance->Config->IaDescriptor.Type,+          Option,+          O=
ptionLen,+          &IaInnerOpt,+          &IaInnerLen+          )+        =
))+  {+    return EFI_DEVICE_ERROR;+  }+   if (Instance->Config->IaDescript=
or.Type =3D=3D Dhcp6OptIana) {     T1 =3D NTOHL (ReadUnaligned32 ((UINT32 *=
)(DHCP6_OFFSET_OF_IA_NA_T1 (Option))));     T2 =3D NTOHL (ReadUnaligned32 (=
(UINT32 *)(DHCP6_OFFSET_OF_IA_NA_T2 (Option))));     //     // Refer to RFC=
3155 Chapter 22.4. If a client receives an IA_NA with T1 greater than T2,  =
   // and both T1 and T2 are greater than 0, the client discards the IA_NA =
option and processes-    // the remainder of the message as though the serv=
er had not  included the invalid IA_NA option.+    // the remainder of the =
message as though the server had not included the invalid IA_NA option.    =
 //     if ((T1 > T2) && (T2 > 0)) {       return EFI_DEVICE_ERROR;     }--=
    IaInnerOpt =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Option);-    IaInnerLen=
 =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (O=
ption)))) - DHCP6_SIZE_OF_COMBINED_IAID_T1_T2);-  } else {-    T1 =3D 0;-  =
  T2 =3D 0;--    IaInnerOpt =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Option);- =
   IaInnerLen =3D (UINT16)(NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_=
OF_OPT_LEN (Option)))) - DHCP6_SIZE_OF_IAID);   }    //@@ -642,7 +668,7 @@ =
Dhcp6UpdateIaInfo (
   Option  =3D Dhcp6SeekOption (IaInnerOpt, IaInnerLen, Dhcp6OptStatusCode)=
;    if (Option !=3D NULL) {-    StsCode =3D NTOHS (ReadUnaligned16 ((UINT1=
6 *)(DHCP6_OFFSET_OF_OPT_LEN (Option))));+    StsCode =3D NTOHS (ReadUnalig=
ned16 ((UINT16 *)(DHCP6_OFFSET_OF_STATUS_CODE (Option))));     if (StsCode =
!=3D Dhcp6StsSuccess) {       return EFI_DEVICE_ERROR;     }@@ -703,15 +729=
,21 @@ Dhcp6SeekInnerOptionSafe (
   }    if (IaType =3D=3D Dhcp6OptIana) {+    //     // Verify we have a fu=
lly formed IA_NA+    //     if (OptionLen < DHCP6_MIN_SIZE_OF_IA_NA) {     =
  return EFI_DEVICE_ERROR;     } +    //+    // Get the IA Inner Option and=
 Length     //     IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_NA_INNER_OPT (Optio=
n); +    //     // Verify the IaInnerLen is valid.+    //     IaInnerLenTmp=
 =3D (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)DHCP6_OFFSET_OF_OPT_LEN (Opt=
ion)));     if (IaInnerLenTmp < DHCP6_SIZE_OF_COMBINED_IAID_T1_T2) {       =
return EFI_DEVICE_ERROR;@@ -719,14 +751,18 @@ Dhcp6SeekInnerOptionSafe (
      IaInnerLenTmp -=3D DHCP6_SIZE_OF_COMBINED_IAID_T1_T2;   } else if (Ia=
Type =3D=3D Dhcp6OptIata) {+    //     // Verify the OptionLen is valid.+  =
  //     if (OptionLen < DHCP6_MIN_SIZE_OF_IA_TA) {       return EFI_DEVICE=
_ERROR;     }      IaInnerOptTmp =3D DHCP6_OFFSET_OF_IA_TA_INNER_OPT (Optio=
n); +    //     // Verify the IaInnerLen is valid.+    //     IaInnerLenTmp=
 =3D (UINT16)NTOHS (ReadUnaligned16 ((UINT16 *)(DHCP6_OFFSET_OF_OPT_LEN (Op=
tion))));     if (IaInnerLenTmp < DHCP6_SIZE_OF_IAID) {       return EFI_DE=
VICE_ERROR;--=20
2.34.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115420): https://edk2.groups.io/g/devel/message/115420
Mute This Topic: https://groups.io/mt/104339706/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-