From: "Saloni Kasbekar" <saloni.kasbekar@intel.com>
To: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Clark-williams, Zachary" <zachary.clark-williams@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
Date: Thu, 1 Feb 2024 19:35:01 +0000 [thread overview]
Message-ID: <SN7PR11MB8281BF9782F99289429747A6F1432@SN7PR11MB8281.namprd11.prod.outlook.com> (raw)
In-Reply-To: <a673060790a9056f68b7772664b4a8626b3d49bb.1706219324.git.doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
-----Original Message-----
From: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Sent: Thursday, January 25, 2024 1:55 PM
To: devel@edk2.groups.io
Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Kasbekar, Saloni <saloni.kasbekar@intel.com>; Clark-williams, Zachary <zachary.clark-williams@intel.com>
Subject: [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535
Bug Details:
PixieFail Bug #2
CVE-2023-45230
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Changes Overview:
> -UINT8 *
> +EFI_STATUS
> Dhcp6AppendOption (
> - IN OUT UINT8 *Buf,
> - IN UINT16 OptType,
> - IN UINT16 OptLen,
> - IN UINT8 *Data
> + IN OUT EFI_DHCP6_PACKET *Packet,
> + IN OUT UINT8 **PacketCursor,
> + IN UINT16 OptType,
> + IN UINT16 OptLen,
> + IN UINT8 *Data
> );
Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly.
It gets passed in EFI_DHCP6_PACKET as additional parameter ...
> + //
> + // Verify the PacketCursor is within the packet // if (
> + (*PacketCursor < Packet->Dhcp6.Option)
> + || (*PacketCursor >= Packet->Dhcp6.Option +
(Packet->Size - sizeof (EFI_DHCP6_HEADER))))
> + {
> + return EFI_INVALID_PARAMETER;
> + }
... so it can look at Packet->Size when checking buffer space.
Also to allow Packet->Length updates.
Lots of checks added.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 78 +++---
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++----------
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++-----
4 files changed, 666 insertions(+), 237 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h index 0eb9c669b5a1..f2422c2f2827 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
@@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') +//+// For more information on DHCP options see RFC 8415, Section 21.1+//+// The format of DHCP options is:+//+// 0 1 2 3+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | option-code | option-len |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++// | option-data |+// | (option-len octets) |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++//+#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))+#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))++//+// Combined size of Code and Length+//+#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \+ DHCP6_SIZE_OF_OPT_LEN)++STATIC_ASSERT (+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN == 4,+ "Combined size of Code and Length must be 4 per RFC 8415"+ );++//+// Offset to the length is just past the code+//+#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)+STATIC_ASSERT (+ DHCP6_OPT_LEN_OFFSET (0) == 2,+ "Offset of length is + 2 past start of option"+ );++#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)+STATIC_ASSERT (+ DHCP6_OPT_DATA_OFFSET (0) == 4,+ "Offset to option data should be +4 from start of option"+ );+ #define DHCP6_PACKET_ALL 0 #define DHCP6_PACKET_STATEFUL 1 #define DHCP6_PACKET_STATELESS 2diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
index 046454ff4ac2..06947f6c1fcf 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
@@ -160,69 +160,85 @@ Dhcp6OnTransmitted (
); /**- Append the appointed option to the buf, and move the buf to the end.+ Append the option to Buf, update the length of packet, and move Buf to the end. - @param[in, out] Buf The pointer to buffer.- @param[in] OptType The option type.- @param[in] OptLen The length of option content.s- @param[in] Data The pointer to the option content.-- @return Buf The position to append the next option.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ will be updated.+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option.+ @param[in] OptType The option type.+ @param[in] OptLen The length of option contents.+ @param[in] Data The pointer to the option content. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendOption (- IN OUT UINT8 *Buf,- IN UINT16 OptType,- IN UINT16 OptLen,- IN UINT8 *Data+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN UINT16 OptType,+ IN UINT16 OptLen,+ IN UINT8 *Data ); /**- Append the Ia option to Buf, and move Buf to the end.-- @param[in, out] Buf The pointer to the position to append.+ Append the appointed Ia option to Buf, update the Ia option length, and move Buf+ to the end of the option.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ will be updated.+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. - @return Buf The position to append the next Ia option.-+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendIaOption (- IN OUT UINT8 *Buf,- IN EFI_DHCP6_IA *Ia,- IN UINT32 T1,- IN UINT32 T2,- IN UINT32 MessageType+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN EFI_DHCP6_IA *Ia,+ IN UINT32 T1,+ IN UINT32 T2,+ IN UINT32 MessageType ); /** Append the appointed Elapsed time option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in the generated packet. - @return Buf The position to append the next Ia option.+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendETOption (- IN OUT UINT8 *Buf,- IN DHCP6_INSTANCE *Instance,- OUT UINT16 **Elapsed+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN DHCP6_INSTANCE *Instance,+ OUT UINT16 **Elapsed ); /** Set the elapsed time based on the given instance and the pointer to the elapsed time option. - @param[in] Elapsed The pointer to the position to append.- @param[in] Instance The pointer to the Dhcp6 instance.+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/ VOID SetElapsedTime (diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index dcd01e6268b1..bf5aa7a769de 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -3,9 +3,9 @@
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR> Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent- **/ #include "Dhcp6Impl.h"@@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;@@ -944,54 +945,64 @@ Dhcp6SendSolicitMsg (
Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendIaOption (- Cursor,+ Status = Dhcp6AppendIaOption (+ Packet,+ &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index];- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length of packet.- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg (
Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -1020,6 +1029,14 @@ Dhcp6SendSolicitMsg (
Elapsed, Instance->Config->SolicitRetransmission );++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1124,51 +1142,67 @@ Dhcp6SendRequestMsg (
Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendIaOption (- Cursor,+ Status = Dhcp6AppendIaOption (+ Packet,+ &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index];- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length of packet.- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); //@@ -1177,8 +1211,7 @@ Dhcp6SendRequestMsg (
Status = Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet); if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg (
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE;@@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg (
Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.Header.MessageType);+ Status = Dhcp6AppendIaOption (+ Packet,+ &Cursor,+ DecIa,+ 0,+ 0,+ Packet->Dhcp6.Header.MessageType+ );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - //- // Determine the size/length of packet.- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg (
Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1399,7 +1462,8 @@ Dhcp6SendReleaseMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE;@@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg (
Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // ServerId is extracted from packet, it's network order. //- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Header.MessageType);+ Status = Dhcp6AppendIaOption (+ Packet,+ &Cursor,+ RelIa,+ 0,+ 0,+ Packet->Dhcp6.Header.MessageType+ );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - //- // Determine the size/length of packet- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendRelease, &Packet);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg (
Instance->IaCb.Ia->State = Dhcp6Releasing; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1529,7 +1615,8 @@ Dhcp6SendRenewRebindMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1543,26 +1630,38 @@ Dhcp6SendRenewRebindMsg (
Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendIaOption (- Cursor,+ Status = Dhcp6AppendIaOption (+ Packet,+ &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } if (!RebindRequest) { //@@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg (
Dhcp6OptServerId ); if (Option == NULL) {- FreePool (Packet);- return EFI_DEVICE_ERROR;+ Status = EFI_DEVICE_ERROR;+ goto ON_ERROR; } ServerId = (EFI_DHCP6_DUID *)(Option + 2); - Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } //@@ -1597,18 +1700,18 @@ Dhcp6SendRenewRebindMsg (
// for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index];- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length of packet.- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); //@@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg (
Event = (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing; Status = Dhcp6CallbackUser (Instance, Event, &Packet);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg (
Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1811,7 +1918,8 @@ Dhcp6SendInfoRequestMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1828,44 +1936,56 @@ Dhcp6SendInfoRequestMsg (
if (SendClientId) { Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, OptionRequest->OpCode, OptionRequest->OpLen, OptionRequest->Data );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < OptionCount; Index++) { UserOpt = OptionList[Index];- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length of packet.- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); //@@ -1877,16 +1997,22 @@ Dhcp6SendInfoRequestMsg (
// Send info-request packet with no state. // Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1937,7 +2063,8 @@ Dhcp6SendConfirmMsg (
// Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) {- return EFI_OUT_OF_RESOURCES;+ Status = EFI_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1951,54 +2078,64 @@ Dhcp6SendConfirmMsg (
Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length);- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendETOption (- Cursor,+ Status = Dhcp6AppendETOption (+ Packet,+ &Cursor, Instance, &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor = Dhcp6AppendIaOption (- Cursor,+ Status = Dhcp6AppendIaOption (+ Packet,+ &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index];- Cursor = Dhcp6AppendOption (- Cursor,+ Status = Dhcp6AppendOption (+ Packet,+ &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length of packet.- //- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } //@@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg (
Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index e6368b5b1c6c..705c665c519d 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -577,24 +577,33 @@ Dhcp6OnTransmitted (
} /**- Append the option to Buf, and move Buf to the end.+ Append the option to Buf, update the length of packet, and move Buf to the end. - @param[in, out] Buf The pointer to the buffer.- @param[in] OptType The option type.- @param[in] OptLen The length of option contents.- @param[in] Data The pointer to the option content.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ will be updated.+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option.+ @param[in] OptType The option type.+ @param[in] OptLen The length of option contents.+ @param[in] Data The pointer to the option content. - @return Buf The position to append the next option.+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendOption (- IN OUT UINT8 *Buf,- IN UINT16 OptType,- IN UINT16 OptLen,- IN UINT8 *Data+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN UINT16 OptType,+ IN UINT16 OptLen,+ IN UINT8 *Data ) {+ UINT32 Length;+ UINT32 BytesNeeded;+ // // The format of Dhcp6 option: //@@ -607,35 +616,95 @@ Dhcp6AppendOption (
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // - ASSERT (OptLen != 0);+ //+ // Verify the arguments are valid+ //+ if (Packet == NULL) {+ return EFI_INVALID_PARAMETER;+ } - WriteUnaligned16 ((UINT16 *)Buf, OptType);- Buf += 2;- WriteUnaligned16 ((UINT16 *)Buf, OptLen);- Buf += 2;- CopyMem (Buf, Data, NTOHS (OptLen));- Buf += NTOHS (OptLen);+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {+ return EFI_INVALID_PARAMETER;+ } - return Buf;+ if (Data == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ if (OptLen == 0) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Verify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Packet->Dhcp6.Option)+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Calculate the bytes needed for the option+ //+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen);++ //+ // Space remaining in the packet+ //+ Length = Packet->Size - Packet->Length;+ if (Length < BytesNeeded) {+ return EFI_BUFFER_TOO_SMALL;+ }++ //+ // Verify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Packet->Dhcp6.Option)+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;+ CopyMem (*PacketCursor, Data, NTOHS (OptLen));+ *PacketCursor += NTOHS (OptLen);++ // Update the packet length by the length of the option + 4 bytes+ Packet->Length += BytesNeeded;++ return EFI_SUCCESS; } /** Append the appointed IA Address option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ will be updated.+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option. @param[in] IaAddr The pointer to the IA Address. @param[in] MessageType Message type of DHCP6 package. - @return Buf The position to append the next option.+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendIaAddrOption (- IN OUT UINT8 *Buf,+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor, IN EFI_DHCP6_IA_ADDRESS *IaAddr, IN UINT32 MessageType ) {+ UINT32 BytesNeeded;+ UINT32 Length;+ // The format of the IA Address option is: // // 0 1 2 3@@ -657,17 +726,60 @@ Dhcp6AppendIaAddrOption (
// . . // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + //+ // Verify the arguments are valid+ //+ if (Packet == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {+ return EFI_INVALID_PARAMETER;+ }++ if (IaAddr == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Verify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Packet->Dhcp6.Option)+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;+ BytesNeeded += sizeof (EFI_IPv6_ADDRESS);+ //+ // Even if the preferred-lifetime is 0, it still needs to store it.+ //+ BytesNeeded += sizeof (IaAddr->PreferredLifetime);+ //+ // Even if the valid-lifetime is 0, it still needs to store it.+ //+ BytesNeeded += sizeof (IaAddr->ValidLifetime);++ //+ // Space remaining in the packet+ //+ Length = Packet->Size - Packet->Length;+ if (Length < BytesNeeded) {+ return EFI_BUFFER_TOO_SMALL;+ }+ // // Fill the value of Ia Address option type //- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr));- Buf += 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr));+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; - WriteUnaligned16 ((UINT16 *)Buf, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));- Buf += 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; - CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));- Buf += sizeof (EFI_IPv6_ADDRESS);+ CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));+ *PacketCursor += sizeof (EFI_IPv6_ADDRESS); // // Fill the value of preferred-lifetime and valid-lifetime.@@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption (
// should set to 0 when initiate a Confirm message. // if (MessageType != Dhcp6MsgConfirm) {- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->PreferredLifetime));+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLifetime)); } - Buf += 4;+ *PacketCursor += sizeof (IaAddr->PreferredLifetime); if (MessageType != Dhcp6MsgConfirm) {- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime));+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime)); } - Buf += 4;+ *PacketCursor += sizeof (IaAddr->ValidLifetime); - return Buf;+ //+ // Update the packet length+ //+ Packet->Length += BytesNeeded;++ return EFI_SUCCESS; } /** Append the appointed Ia option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ will be updated.+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. - @return Buf The position to append the next Ia option.+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendIaOption (- IN OUT UINT8 *Buf,- IN EFI_DHCP6_IA *Ia,- IN UINT32 T1,- IN UINT32 T2,- IN UINT32 MessageType+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN EFI_DHCP6_IA *Ia,+ IN UINT32 T1,+ IN UINT32 T2,+ IN UINT32 MessageType ) {- UINT8 *AddrOpt;- UINT16 *Len;- UINTN Index;+ UINT8 *AddrOpt;+ UINT16 *Len;+ UINTN Index;+ UINT32 BytesNeeded;+ UINT32 Length;+ EFI_STATUS Status; // // The format of IA_NA and IA_TA option:@@ -733,32 +859,74 @@ Dhcp6AppendIaOption (
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // + //+ // Verify the arguments are valid+ //+ if (Packet == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {+ return EFI_INVALID_PARAMETER;+ }++ if (Ia == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Verify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Packet->Dhcp6.Option)+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;+ BytesNeeded += sizeof (Ia->Descriptor.IaId);+ //+ // + N for the IA_NA-options/IA_TA-options+ // Dhcp6AppendIaAddrOption will need to check the length for each address+ //+ if (Ia->Descriptor.Type == Dhcp6OptIana) {+ BytesNeeded += sizeof (T1) + sizeof (T2);+ }++ //+ // Space remaining in the packet+ //+ Length = (UINT16)(Packet->Size - Packet->Length);+ if (Length < BytesNeeded) {+ return EFI_BUFFER_TOO_SMALL;+ }+ // // Fill the value of Ia option type //- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Ia->Descriptor.Type));- Buf += 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type));+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; // // Fill the len of Ia option later, keep the pointer first //- Len = (UINT16 *)Buf;- Buf += 2;+ Len = (UINT16 *)*PacketCursor;+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; // // Fill the value of iaid //- WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->Descriptor.IaId));- Buf += 4;+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId));+ *PacketCursor += sizeof (Ia->Descriptor.IaId); // // Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specified. // if (Ia->Descriptor.Type == Dhcp6OptIana) {- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 != 0) ? T1 : 0xffffffff));- Buf += 4;- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 != 0) ? T2 : 0xffffffff));- Buf += 4;+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 != 0) ? T1 : 0xffffffff));+ *PacketCursor += sizeof (T1);+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 != 0) ? T2 : 0xffffffff));+ *PacketCursor += sizeof (T2); } //@@ -766,35 +934,51 @@ Dhcp6AppendIaOption (
// for (Index = 0; Index < Ia->IaAddressCount; Index++) { AddrOpt = (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDRESS);- Buf = Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);+ Status = Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);+ if (EFI_ERROR (Status)) {+ return Status;+ } } // // Fill the value of Ia option length //- *Len = HTONS ((UINT16)(Buf - (UINT8 *)Len - 2));+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); - return Buf;+ //+ // Update the packet length+ //+ Packet->Length += BytesNeeded;++ return EFI_SUCCESS; } /** Append the appointed Elapsed time option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append.+ @param[in, out] Packet A pointer to the packet, on success Packet->Length+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor+ will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in- the generated packet.+ the generated packet. - @return Buf The position to append the next Ia option.+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendETOption (- IN OUT UINT8 *Buf,- IN DHCP6_INSTANCE *Instance,- OUT UINT16 **Elapsed+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN DHCP6_INSTANCE *Instance,+ OUT UINT16 **Elapsed ) {+ UINT32 BytesNeeded;+ UINT32 Length;+ // // The format of elapsed time option: //@@ -806,27 +990,70 @@ Dhcp6AppendETOption (
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // + //+ // Verify the arguments are valid+ //+ if (Packet == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {+ return EFI_INVALID_PARAMETER;+ }++ if (Instance == NULL) {+ return EFI_INVALID_PARAMETER;+ }++ if ((Elapsed == NULL)) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Verify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Packet->Dhcp6.Option)+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;+ //+ // + 2 for elapsed-time+ //+ BytesNeeded += sizeof (UINT16);+ //+ // Space remaining in the packet+ //+ Length = Packet->Size - Packet->Length;+ if (Length < BytesNeeded) {+ return EFI_BUFFER_TOO_SMALL;+ }+ // // Fill the value of elapsed-time option type. //- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapsedTime));- Buf += 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime));+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; // // Fill the len of elapsed-time option, which is fixed. //- WriteUnaligned16 ((UINT16 *)Buf, HTONS (2));- Buf += 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2));+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; // // Fill in elapsed time value with 0 value for now. The actual value is // filled in later just before the packet is transmitted. //- WriteUnaligned16 ((UINT16 *)Buf, HTONS (0));- *Elapsed = (UINT16 *)Buf;- Buf += 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0));+ *Elapsed = (UINT16 *)*PacketCursor;+ *PacketCursor += sizeof (UINT16); - return Buf;+ Packet->Length += BytesNeeded;++ return EFI_SUCCESS; } /**--
2.43.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114954): https://edk2.groups.io/g/devel/message/114954
Mute This Topic: https://groups.io/mt/103964976/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-02-01 19:35 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-25 21:54 [edk2-devel] [PATCH v2 00/15] Security Patches for EDK II Network Stack Doug Flick via groups.io
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Doug Flick via groups.io
2024-02-01 19:35 ` Saloni Kasbekar [this message]
2024-02-05 13:41 ` bryan-bt.tan via groups.io
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 02/15] NetworkPkg: : Add Unit tests to CI and create Host Test DSC Doug Flick via groups.io
2024-02-01 19:36 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 03/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests Doug Flick via groups.io
2024-02-01 19:40 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch Doug Flick via groups.io
2024-02-01 19:42 ` Saloni Kasbekar
2024-02-05 13:46 ` bryan-bt.tan via groups.io
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 05/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests Doug Flick via groups.io
2024-02-01 19:49 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 06/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch Doug Flick via groups.io
2024-02-01 19:52 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 07/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests Doug Flick via groups.io
2024-02-01 19:59 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Doug Flick via groups.io
2024-02-01 20:48 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 09/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests Doug Flick via groups.io
2024-02-01 21:16 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Doug Flick via groups.io
2024-02-01 21:22 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 11/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests Doug Flick via groups.io
2024-02-01 21:32 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 12/15] MdePkg: Test: Add gRT_GetTime Google Test Mock Doug Flick via groups.io
2024-01-26 19:52 ` Michael D Kinney
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch Doug Flick via groups.io
2024-02-01 21:37 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 14/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests Doug Flick via groups.io
2024-02-01 22:03 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 15/15] NetworkPkg: : Adds a SecurityFix.yaml file Doug Flick via groups.io
2024-02-01 22:18 ` Saloni Kasbekar
2024-01-31 5:22 ` [edk2-devel] 回复: [edk2-stable202402][PATCH v2 00/15] Security Patches for EDK II Network Stack gaoliming via groups.io
[not found] ` <17AF5718015C1866.16460@groups.io>
2024-02-07 14:26 ` 回复: " gaoliming via groups.io
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SN7PR11MB8281BF9782F99289429747A6F1432@SN7PR11MB8281.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox