From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id B2C547803CC for ; Thu, 1 Feb 2024 20:48:59 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=5kJJK6TTNWWYEstrk3j0zj/nO+SrOy/IdXCr2FN3Nf4=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706820538; v=1; b=qdbOew9Fdq7vSWGq3LclawwmqqoZjSAbhBYns9dClqxU/TkyLukPe/PKMHV9PRp0/Jse3Bp0 eEd7ncZwljfBln88saFfS/KC/Y5EmB9Wq2f0tC5noY+ztQ9Eij6eODIip+OC2uJj035fACCpJ+5 RFZt4pr2hVrh3DWwLePkUgK0= X-Received: by 127.0.0.2 with SMTP id SSX0YY7687511xqhafB2omxB; Thu, 01 Feb 2024 12:48:58 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.12]) by mx.groups.io with SMTP id smtpd.web10.6794.1706820537235238097 for ; Thu, 01 Feb 2024 12:48:57 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="3836982" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="3836982" X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmvoesa106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Feb 2024 12:48:57 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="738548609" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="738548609" X-Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga003.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 01 Feb 2024 12:48:56 -0800 X-Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 12:48:55 -0800 X-Received: from fmsmsx602.amr.corp.intel.com (10.18.126.82) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 12:48:54 -0800 X-Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx602.amr.corp.intel.com (10.18.126.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 1 Feb 2024 12:48:54 -0800 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.100) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 1 Feb 2024 12:48:54 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NJ52bSxXzkvYrhJO81sgzE0pK6mtp2Mrgoul/U4LuDxUDmg6PaNzVcP44GeCHJxTX2Ip8QXc42mKwCin/QA1JMFf2fw7ISPMDrH9nBsOenyXrhPH4NNWmjYQ/BY6oxoUHEJINAUg+BvFwUOl6bVY9oqsZjF18GOjY+tDNhGH5M6ZPQeMmRBZSh3cVltg0gUHyqnWL5CetUK5ltscFxFih55WFjjaRU14/26bQwCuAfKgY7AE0vzr00efJRNyKJYWdEL2k2Tio+EQMxIVoqjJRT5kJReOFEwoZysrg+tu19/4Fec0mxTDs7NBjag9GAR2gvNcXl2Fcp6tnacdAnwJzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Gl8YoIkM95oxr4bz+y8PUKxAEAra32kAgvYwvpbuiRw=; b=JQa6Ny2rAQuUBbUVyVFCkFxdCPbGVPlLI3jCqT4uF2rbUvCpB0y9c5Y/14y0f7Lp6V1+sLxJsLJ0r2/2VfgIq4kI1V/HF2pAWEsY48GisYS0d3HQNjp07fC3ASyOla4fR3gmlzQMX67pynFba3A+l+OS5jMweN3uV/a//pRVBn+asdpIVSbX2udotzJan2bwKVmxgQNaKN6J+iEv91+iaKp8YzWGcbigCjy/QWfd6ReT/0cZPe786XgldP9B4vzk1Kk/6JFZku4/YMQZQOkuRQNLi05xCTHdQrh1eQlSdXbkUkYPoALS49viQ9/g88dGBVAdWU9dOMfs5I0XrN9O0g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by PH0PR11MB4919.namprd11.prod.outlook.com (2603:10b6:510:34::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.29; Thu, 1 Feb 2024 20:48:52 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7249.024; Thu, 1 Feb 2024 20:48:52 +0000 From: "Saloni Kasbekar" To: "Douglas Flick [MSFT]" , "devel@edk2.groups.io" CC: Doug Flick , "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH v2 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Thread-Topic: [PATCH v2 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Thread-Index: AQHaT+M0l7eHfYDjpkKmpaIchgJA/bD18rIA Date: Thu, 1 Feb 2024 20:48:52 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|PH0PR11MB4919:EE_ x-ms-office365-filtering-correlation-id: 4a9cc618-5047-4738-839d-08dc236732fc x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: wwUq6SRydOjq+tTSBmFGD8JGnrAN4mQKPFBcCZyaTgc+HYeonLdHYh3UUQr34xXwn0uVTBA6A4TWc77S/6w+kL02fvYZs9lMOeYa81ke3FXKlSSrUe8cGHTQpUCZc02p7D9xMAMubzDgx76zPEtqMp1VZTH59pCXgs3qguKY0gdkXszF4eL2Nf3ySD+25QQrY2z9kY4sySV03PPzOa9zYDW74iik4pF16GjTLuINFzQxauKGqOuHFVGLR/HVVFFBK83JBVaYkv5CPnFFRciO6zQQ7mDCk/ANs4XUHb1q7tPa+f5hSdcC8h9ReCmm69XrqSQTwIh5IVo2yBKpeG0uHDpMkoYROu014N7Hp86NgHk/Im4NAzwVcyum+M3UWYr135rYWSbnIb1DWfwSCBkRrfEQSF0/6nN82KnZsNZPw+K5BbbS10y6OQdUtBvbKmzExlC2NPU1gy/PKbjwHqwPOgWjQiFYzpuKVMiZJQ5/d9Ah7S6SXgs8h3lu6bJszDwPQHIspmHBDGDZeaANNFf8wpfR522uBuS62hORNXCvBDHl+il7VcAvWC14EKYCdk/9I5jLvbeghFMPHRbuUj5oZuHO+XPu4a7l/yHkSk98oqHDz85wV4k08r/yaGNiV7AYS4fW0l9haHZ0MCjA0mOD8i8N0uO3rN82Hbqfq/dGvEo= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?VINx7cA3vXB4UDcfBQDR8lwI38VVliJ2zEwn5zV/xuaaVnaShHlsOJdiFK14?= =?us-ascii?Q?HEcBjLXNeVQvOc9g1pbtQtC0d9xfi0nkJMccJHFI2bHpdfkG7wUxEPG7ewaP?= =?us-ascii?Q?jz+upaLVNHzhMS35nzuEJ3BDH/0kmq2G6Q8LYK6+PgRLv8uWlr4NWVMk/lsa?= =?us-ascii?Q?c05UPOHgK34w744FG10nzDnQO7iwf1bg0FcZbPj1Z+Y7XFvJH1kRg2nwKSyf?= =?us-ascii?Q?1qP725nPcIndyc5kAP0RSgP1A3YReCVes9k9o2bkDpEMPOqe2r8mLSuf5X2C?= =?us-ascii?Q?eIksgP34OsD5d9yV8qy6ZxWJw27ajtDAG3r6ABQqbnWkLOmV+qryS4fY3AnX?= =?us-ascii?Q?NpfE4S9vwX45I7KlaO5DrerExTzazatU4yx4kaLEZXVrMA0IKZfJhIu3HK3D?= =?us-ascii?Q?MJi7bBdwl04De+6g0D7UO6phboawYTO/suPVMfwyjmB8VL1DHdRkG/oDHbGN?= =?us-ascii?Q?F4Yeb9dpB0yyJI6E3D17Z2Gp1Quq+jMflMDwceWknJiQ7JpFYzAWwq7h4uK2?= =?us-ascii?Q?vy0LcEpNK2uuoa63foa4CM7uO/yhcU/ZEOPBa8uRiDRZHRE73Dj1ZEfzmAxI?= =?us-ascii?Q?WEou9RwksCi3SpIkLBUf4cc7ZQLAcs7LxzjvKmmc9UoYSTnCCXpTnGlrMg5j?= =?us-ascii?Q?wLZJrGLF4ajEjbvSfuG7nN7P8G6PSLK2EMBFZBqbEw685YDBETDRtONxJSE9?= =?us-ascii?Q?WsGvHwq33j7Aim/ycOyZokYMLEG/aPMNrEt+7CyM2yfiR2wjsMd5cly2PZBB?= =?us-ascii?Q?bDhXsVqrBh7MA4KOVOqTK7PMzA6a2NvzEmGkV8uFazJSh02ZipRRjan8mph3?= =?us-ascii?Q?13a8w5h6EkHFvJzWxW7s5jPRQmDW474OLTxka8z88pB78lTWme1Wa78Hoyzs?= =?us-ascii?Q?DTRpEJrSxlh1W8RiOSg/2Dk5OyloX3MZGrMjHFA6xk9O0y/t71ENieVl4gdZ?= =?us-ascii?Q?ZQmI7QjLJzmleS+NywV8UMdLY6IOJXd/H4iEetitwuuBpp91Ac8dODqaSXtN?= =?us-ascii?Q?6lerwL2HNzCREO7VM790kBzVYcTABM0reSYYKeITGunGWWo7jfG/6utBEz2/?= =?us-ascii?Q?G2y7J2FxW1jAlk4doP7wf2UkteCmME0kOtHkDd8kXfZG0ehOzyJOsS7X8TUr?= =?us-ascii?Q?a6w7h6aNdqJN1BPwIkWXy1Xj7vz/njOhLwDKCYuVRkCCjVjkDxKUU2psLrzr?= =?us-ascii?Q?CzJGSjDytgeZsYhecNL0kBhRtfEhedFeZsDcuwIi2/G3QgTqZLYa4c/6ADRp?= =?us-ascii?Q?BiSWyU/wIZoMRbAAQJfWk+Qxe0zglCfaSh0y6yYWEq9NuabiueqzFlCMuzpH?= =?us-ascii?Q?3j3RpNXFa00J/0bDOMtIYD4QVqXutNcN0RNZRhu9pc+eUIpMZY/YGY7qTjbs?= =?us-ascii?Q?H9r/b1o/7L0gN1Ls0rI51bZr+d8kUHXTnZCAaY8QxKlzaF7+vRRo3T5f4HWW?= =?us-ascii?Q?/K2VOMnePITC4PWt+U0nukgIdLIuXliOZurSKkEr5LBi92CHrdPaR09KzPqv?= =?us-ascii?Q?YxpoZI3/CuGuwEJ5bhCp4adnQl4YEOCFgLs4Qh286MnYBYjrP1DIvDCuUBZ/?= =?us-ascii?Q?yoET5VXyU4L01SQ5ixmJkYY4QGZAAX2mlkmBWNd6?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4a9cc618-5047-4738-839d-08dc236732fc X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2024 20:48:52.3243 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: +UzqwVOJAngDqq31qNO05GGPmn9H4KrOchzxV07u7n6Ifj1sXNnYr4lF0B43uRwe45bz2j0gm2Anmnm+xT1rARszeB4dP6GN8jC4kr5kafo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4919 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Ia74Ia2WWwnetARGz52z9h6Bx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=qdbOew9F; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Reviewed-by: Saloni Kasbekar -----Original Message----- From: Douglas Flick [MSFT] =20 Sent: Thursday, January 25, 2024 1:55 PM To: devel@edk2.groups.io Cc: Doug Flick ; Kasbekar, Saloni ; Clark-williams, Zachary ; Do= ug Flick [MSFT] Subject: [PATCH v2 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232= Patch From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538 Bug Details: PixieFail Bug #4 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing unknown options in the Destination Options heade= r PixieFail Bug #5 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing a PadN option in the Destination Options header Change Overview: Most importantly this change corrects the following incorrect math and clea= ns up the code. > // It is a PadN option > // > - Offset =3D (UINT8)(Offset + *(Option + Offset + 1) + 2); > + OptDataLen =3D ((EFI_IP6_OPTION *)(Option + Offset))->Length; > + Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); > case Ip6OptionSkip: > - Offset =3D (UINT8)(Offset + *(Option + Offset + 1)); > OptDataLen =3D ((EFI_IP6_OPTION *)(Option + Offset))->Length; > Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); Additionally, this change also corrects incorrect math where the calling fu= nction was calculating the HDR EXT optionLen as a uint8 instead of a uint16 > - OptionLen =3D (UINT8)((*Option + 1) * 8 - 2); > + OptionLen =3D IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN; Additionally this check adds additional logic to santize the incoming data Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Ip6Dxe/Ip6Nd.h | 35 ++++++++++++++++ NetworkPkg/Ip6Dxe/Ip6Option.h | 71 ++++++++++++++++++++++++++++++++ Netwo= rkPkg/Ip6Dxe/Ip6Option.c | 76 ++++++++++++++++++++++++++++++----- 3 files changed, 171 insertions(+), 11 deletions(-) diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h index 86= 0934a167eb..bf64e9114e13 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Nd.h +++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h @@ -56,13 +56,48 @@ VOID VOID *Context ); +//+// Per RFC8200 Section 4.2+//+// Two of the cu= rrently-defined extension headers -- the Hop-by-Hop+// Options header and= the Destination Options header -- carry a variable+// number of type-len= gth-value (TLV) encoded "options", of the following+// format:+//+// = +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -+// | Option Type = | Opt Data Len | Option Data+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- = - - - - - - - -+//+// Option Type 8-bit identifier of the typ= e of option.+//+// Opt Data Len 8-bit unsigned integer. Lengt= h of the Option+// Data field of this option, in = octets.+//+// Option Data Variable-length field. Option-Type= -specific+// data.+// typedef struct _IP6_OPTION_= HEADER {+ ///+ /// identifier of the type of option.+ /// UINT8 Typ= e;+ ///+ /// Length of the Option Data field of this option, in octets.+ = /// UINT8 Length;+ ///+ /// Option-Type-specific data.+ /// } IP6_= OPTION_HEADER; STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) =3D=3D 2, "IP6_OP= TION_HEADER is expected to be exactly 2 bytes long."); +#define IP6_NEXT_OP= TION_OFFSET(offset, length) (offset + sizeof(IP6_OPTION_HEADER) + length)+= STATIC_ASSERT (+ IP6_NEXT_OPTION_OFFSET (0, 0) =3D=3D 2,+ "The next optio= n is minimally the combined size of the option tag and length"+ );+ typede= f struct _IP6_ETHE_ADDR_OPTION { UINT8 Type; UINT8 Length;diff --= git a/NetworkPkg/Ip6Dxe/Ip6Option.h b/NetworkPkg/Ip6Dxe/Ip6Option.h index bd8e223c8a67..fb07c28f5ad7 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.h +++ b/NetworkPkg/Ip6Dxe/Ip6Option.h @@ -12,6 +12,77 @@ #define IP6_FRAGMENT_OFFSET_MASK (~0x3) +//+// For more information see = RFC 8200, Section 4.3, 4.4, and 4.6+//+// This example format is from sect= ion 4.6+// This does not apply to fragment headers+//+// +-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | Next Header = | Hdr Ext Len | |+// +-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+ ++// | = |+// . = .+// . Header-Sp= ecific Data .+// . = .+// | = |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+-+-+-+-+-+-+-+-+-+-+-+-+-++//+// Next Header 8-bit selecto= r. Identifies the type of+// header immediately= following the extension+// header. Uses the sa= me values as the IPv4+// Protocol field [IANA-PN= ].+//+// Hdr Ext Len 8-bit unsigned integer. Length of the+= // Destination Options header in 8-octet units,+= // not including the first 8 octets.++//+// Thes= e defines apply to the following:+// 1. Hop by Hop+// 2. Routing+// 3= . Destination+//+typedef struct _IP6_EXT_HDR {+ ///+ /// The Next Header = field identifies the type of header immediately+ ///+ UINT8 NextHeader= ;+ ///+ /// The Hdr Ext Len field specifies the length of the Hop-by-Hop = Options+ ///+ UINT8 HdrExtLen;+ ///+ /// Header-Specific Data+ ///+= } IP6_EXT_HDR;++STATIC_ASSERT (+ sizeof (IP6_EXT_HDR) =3D=3D 2,+ "The com= bined size of Next Header and Len is two 8 bit fields"+ );++//+// IPv6 ext= ension headers contain an 8-bit length field which describes the size of+//= the header. However, the length field only includes the size of the extens= ion+// header options, not the size of the first 8 bytes of the header. The= refore, in+// order to calculate the full size of the extension header, we = add 1 (to account+// for the first 8 bytes omitted by the length field repo= rting) and then multiply+// by 8 (since the size is represented in 8-byte u= nits).+//+// a is the length field of the extension header (UINT8)+// The r= esult may be up to 2046 octets (UINT16)+//+#define IP6_HDR_EXT_LEN(a) (((U= INT16)((UINT8)(a)) + 1) * 8)++// This is the maxmimum length permissible by= a extension header+// Length is UINT8 of 8 octets not including the first = 8 octets+#define IP6_MAX_EXT_DATA_LENGTH (IP6_HDR_EXT_LEN (MAX_UINT8) - si= zeof(IP6_EXT_HDR))+STATIC_ASSERT (+ IP6_MAX_EXT_DATA_LENGTH =3D=3D 2046,+ = "Maximum data length is ((MAX_UINT8 + 1) * 8) - 2"+ );+ typedef struct _I= P6_FRAGMENT_HEADER { UINT8 NextHeader; UINT8 Reserved;diff --gi= t a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 8718d5d8756a..fd97ce116f98 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -17,7 +17,8 @@ @param[in] IpSb The IP6 service data. @param[in] Packet= The to be validated packet. @param[in] Option The= first byte of the option.- @param[in] OptionLen The length of th= e whole option.+ @param[in] OptionLen The length of all options, = expressed in byte length of octets.+ Maximum= length is 2046 bytes or ((n + 1) * 8) - 2 where n is 255. @param[in] Po= inter Identifies the octet offset within = the invoking packet where the error was detected. @@ -31,12 +32,33 = @@ Ip6IsOptionValid ( IN IP6_SERVICE *IpSb, IN NET_BUF *Packet, IN UINT8 *Opt= ion,- IN UINT8 OptionLen,+ IN UINT16 OptionLen, IN UINT32 = Pointer ) {- UINT8 Offset;- UINT8 OptionType;+ UINT16 Offset;= + UINT8 OptionType;+ UINT8 OptDataLen;++ if (Option =3D=3D NULL) {+ = ASSERT (Option !=3D NULL);+ return FALSE;+ }++ if ((OptionLen <=3D = 0) || (OptionLen > IP6_MAX_EXT_DATA_LENGTH)) {+ ASSERT (OptionLen > 0 &&= OptionLen <=3D IP6_MAX_EXT_DATA_LENGTH);+ return FALSE;+ }++ if (Pack= et =3D=3D NULL) {+ ASSERT (Packet !=3D NULL);+ return FALSE;+ }++ i= f (IpSb =3D=3D NULL) {+ ASSERT (IpSb !=3D NULL);+ return FALSE;+ } = Offset =3D 0; @@ -54,7 +76,8 @@ Ip6IsOptionValid ( // // It is a PadN option //- Offset =3D (U= INT8)(Offset + *(Option + Offset + 1) + 2);+ OptDataLen =3D ((IP6_OP= TION_HEADER *)(Option + Offset))->Length;+ Offset =3D IP6_NEXT_O= PTION_OFFSET (Offset, OptDataLen); break; case Ip6OptionRoute= rAlert: //@@ -69,7 +92,8 @@ Ip6IsOptionValid ( // switch (OptionType & Ip6OptionMask) { case Ip= 6OptionSkip:- Offset =3D (UINT8)(Offset + *(Option + Offset + 1)= );+ OptDataLen =3D ((IP6_OPTION_HEADER *)(Option + Offset))->Len= gth;+ Offset =3D IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen)= ; break; case Ip6OptionDiscard: return FA= LSE;@@ -308,7 +332,7 @@ Ip6IsExtsValid ( UINT32 Pointer; UINT32 Offset; UINT8 = *Option;- UINT8 OptionLen;+ UINT16 = OptionLen; BOOLEAN Flag; UINT8 CountD; = UINT8 CountA;@@ -385,6 +409,36 @@ Ip6IsExtsValid ( // Fall through // case IP6_DESTINATION:+ //+ = // See https://www.rfc-editor.org/rfc/rfc2460#section-4.2 page 23+ = //+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-++ // | Next Header | Hdr Ext Len | = |+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ = ++ // | = |+ // . = .+ // . Options = .+ // . = .+ // | = |+ // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-+-+-+-+-+-+-+-++ //+ //+ // Next Header 8= -bit selector. Identifies the type of header+ // i= mmediately following the Destination Options+ // he= ader. Uses the same values as the IPv4+ // Protoco= l field [RFC-1700 et seq.].+ //+ // Hdr Ext Len 8-bit un= signed integer. Length of the+ // Destination Opti= ons header in 8-octet units, not+ // including the = first 8 octets.+ //+ // Options Variable-length fiel= d, of length such that the+ // complete Destination= Options header is an+ // integer multiple of 8 oct= ets long. Contains one+ // or more TLV-encoded op= tions, as described in+ // section 4.2.+ //+= if (*NextHeader =3D=3D IP6_DESTINATION) { CountD++; = }@@ -398,7 +452,7 @@ Ip6IsExtsValid ( Offset++; Option =3D ExtHdrs + Offset;- OptionL= en =3D (UINT8)((*Option + 1) * 8 - 2);+ OptionLen =3D IP6_HDR_EXT_LE= N (*Option) - sizeof (IP6_EXT_HDR); Option++; Offset++; @@ = -430,7 +484,7 @@ Ip6IsExtsValid ( // // Ignore the routing header and proceed to process= the next header. //- Offset =3D Offset + (RoutingHead->= HeaderLen + 1) * 8;+ Offset =3D Offset + IP6_HDR_EXT_LEN (RoutingH= ead->HeaderLen); if (UnFragmentLen !=3D NULL) { *UnF= ragmentLen =3D Offset;@@ -441,7 +495,7 @@ Ip6IsExtsValid ( // to the packet's source address, pointing to the unrecognized = routing // type. //- Pointer =3D Offset + 2 + = sizeof (EFI_IP6_HEADER);+ Pointer =3D Offset + sizeof (IP6_EXT_HDR= ) + sizeof (EFI_IP6_HEADER); if ((IpSb !=3D NULL) && (Packet !=3D= NULL) && !IP6_IS_MULTICAST (&Packet->Ip.Ip6->DestinationAddr= ess)) {@@ -527,7 +581,7 @@ Ip6IsExtsValid ( // // RFC2402, Payload length is specified in 32-bit words= , minus "2". //- OptionLen =3D (UINT8)((*Option + 2) * 4);+ = OptionLen =3D ((UINT16)(*Option + 2) * 4); Offset =3D Off= set + OptionLen; break; --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114962): https://edk2.groups.io/g/devel/message/114962 Mute This Topic: https://groups.io/mt/103964983/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-