From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 1219A7803CF for ; Thu, 1 Feb 2024 19:35:18 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=k4i1b6FynSBe9q7JiurejhoIoK/A3rm8pjfdVl10PJE=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706816117; v=1; b=OYFGtXYwIlky847pA4hfXp2Gp3ArfPzkeksfo3Y0MXZ5AcwxIKkVBa5fXd5hvLlykBIsVb1l 6WjqGPkfDt0hPJhkqhjW5ELqNym7uop2IDynveFY9Plqj2i3cymH4o5OKql+A4IR9eiB7pmFfQ1 tK9jCMHzQMicMv52049nWFwo= X-Received: by 127.0.0.2 with SMTP id 7xruYY7687511xkstCiypDnm; Thu, 01 Feb 2024 11:35:17 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web10.4918.1706816116187515884 for ; Thu, 01 Feb 2024 11:35:16 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="11354911" X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="11354911" X-Received: from orviesa008.jf.intel.com ([10.64.159.148]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Feb 2024 11:35:07 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.05,236,1701158400"; d="scan'208";a="191762" X-Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orviesa008.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 01 Feb 2024 11:35:06 -0800 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 11:35:05 -0800 X-Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Thu, 1 Feb 2024 11:35:05 -0800 X-Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Thu, 1 Feb 2024 11:35:05 -0800 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.101) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 1 Feb 2024 11:35:04 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rtbz2Tw+J54mdJjJEtDC0+tchE01BLbeaySgeVzYnMOOVOGPpzzIQ3VkIFo/FZojdHTFO9S4OeCO/4kLhuphK90cVVJz9zVQDHdlA7E5YfdhFN1FKOeU7hCSXJhUdY0nAnrWPNfWjNW/cedVN3X1He4/Fg/E+XRcKTo6HVs3U6oSr9ADtFpkW6eEj+KUDW5Q5yyIWWmRPlMHC6u/M6y4S6DRHTTWplOfTLV83uRawq+SgUCtwmZfaDFuvgPwm2Nr0/2EF9XXei/WYELSeNoD701jL7D1FXWdHCjHO77zeMKsT1GKUKc4fgTD4ZUmnhdmqqjsjEIpeq1XNH87cGuiHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BRMrg/JYOvASICWWmPz1uIY9yen1sPsnUJisE85hgPs=; b=lsSTspgRtrA2TeB9S9GLVrx+h+AOZWafXUEu2ZNMQqwAdTgcILyfUX0BqGO9xxiNN7mLpGzWj+ef3decVjTLlv1Q2jLLElRSr5OuvxwGT28GmjIoIMoKIodgNJHyEGbGPozX4Mj3uogwqDLVSpTzeGZ5lzHFR7W7ymrtOmh9PVhqAGvhBuVkYG2nGEENbX7zuKEdIVceAOx+oDkRjP0iCTpOLa4pYa1n+sIzx/PB3QFLF4nGVpiufMkGHYAUPviduvjuCUnDZZeypc1ba6VFXfqeLr7VdQ2Ib9r09PXBJ69wD/t6kKj2BylKS9zJ3dD6/JnsHDHYLpoU2NotJ24XMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com (2603:10b6:806:26b::20) by SA0PR11MB4734.namprd11.prod.outlook.com (2603:10b6:806:99::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.29; Thu, 1 Feb 2024 19:35:02 +0000 X-Received: from SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f]) by SN7PR11MB8281.namprd11.prod.outlook.com ([fe80::bf47:e473:3750:b81f%5]) with mapi id 15.20.7249.024; Thu, 1 Feb 2024 19:35:02 +0000 From: "Saloni Kasbekar" To: "Douglas Flick [MSFT]" , "devel@edk2.groups.io" CC: "Clark-williams, Zachary" Subject: Re: [edk2-devel] [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Thread-Topic: [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Thread-Index: AQHaT+Mmg+SSwafp+ESMVxnYHikFB7D16yiw Date: Thu, 1 Feb 2024 19:35:01 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN7PR11MB8281:EE_|SA0PR11MB4734:EE_ x-ms-office365-filtering-correlation-id: b4bd0c3e-40b8-4985-11e0-08dc235ce249 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: 6XGHif1udDHWESUt0VV2VePLNakkPX0dzg6lY/6LLOnFoASfvEazNzaBmlzp3s4hQW3hzA04Qh3RlQ/eAZjOpWNvfyZHrBePFkk3cKf4kFNE8xsiWlKT2IZsu3KG0M39aFHIwsEV62MkpaWaNvUdxyEfpNQruVHfexlNTwql8C2Ndm7xy3s3H0FKNVTvjYvhcizUqm0pqjnqnRA3/gBSuNHKoAaBUMzT6XSGCUbz8Z4shkb//aFnobksYmtW3Lt4WwYhWhG8EnS0nlygMGmuzlH9I7SkWVV8cGgmC8rLsHaQQ5LbduqIlM9Oqp2zJP9cVXKMpZVFsjbLHVIsl66v61IKSnbjlj2B9p51iXlriAi1kWTntBc8R3S5lPIDwJYESr92c0jQ8nPMwA2LcaH69HUlQ97s94CiqehR+RkCuRjftm7Lsix7cx7jcL0pfUkVQ7/GJEuJc12+2WkI9zax+nNAiSG5M/eZis8kZ1xQPP7CKPu3XYs05rqbQ3seL/C5tk3+B2tWFVvq4yBEc5C0MPJCbLp4HANbKLlIJEfga+wqowrjbedlaivbTR9SwTrLIHtnXtaHR5zJ/RjP/z6kSbMzOZLRjAyQR4Fx9Ipj8WMdhj/Z7bS897Po6dG7MGeQ x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?8xm9zQ186qyQbn3bMa9TvxD+t0D9tIgoFGmVTYDdWEUuvbgg3QAL+CFy7Qnl?= =?us-ascii?Q?LGGEawisRGqGim8LxZh31XE9x1thOWmvuv7S5ofr0xzfAxUIwU5I2mQbXmRW?= =?us-ascii?Q?II3TCa5l/KeRTnvBLpuA5uy+NkUt7vJ5ac4fEAGfGQW6d5eBe7XeNEd09C0C?= =?us-ascii?Q?vAa4OymRQyh48DIPfP3GHSXvmTYrgmAOIo40YQOQdVL60Y+MGs6iS45vXhMx?= =?us-ascii?Q?eLf1izvDX7EckXaVYWOshfK2wsT+dFXHzzUqKeiuGrsPvTWff6nkPm/SLYhU?= =?us-ascii?Q?Lc5Tu79QowLi84s3WKbYzoAGRrluZUG/8b2nGaigNsxkca0T6sRIL4Sm4hJ/?= =?us-ascii?Q?bTfWbxPf+VDHp5iu4Q3PU3004hfRwwvA00Q/5VIoJDIVhSxu2Xc1mX4yES11?= =?us-ascii?Q?lu0nWkTKSlBUKDNp5pFEb6O8WhtePG0A3r+IHezn3uvB7CKHdS98g0VJPRhk?= =?us-ascii?Q?8J8mp4lUrgnBXZs9HABV5bSrMuvx/p/qGBtq0yp5i6J5gcZ2ZGZ1tfNzY2Tm?= =?us-ascii?Q?MnEdSCTbsgzwkmytiQCm0wPCE5TogPCLIeGG9EahiTkYWu/U1HhnaGYNuGub?= =?us-ascii?Q?DrSOjPXF+HaSFv4PCsWXObVTTL87+mEdotgpsdGsz94PTxC52jOdqxwLICW2?= =?us-ascii?Q?SwlTdkqgPuAO0YIQJpuGGutY3w41KD+99fkV8+IyyyQad8xtM1GIE+3ieXna?= =?us-ascii?Q?hgEhZtYJqsCxiC/ivH/y+4vp1dHCvJOZXl8y7nNmUaR8V5bGwU4bzwuuaDI7?= =?us-ascii?Q?SLJpsGVHNlO97i/0IVUqYzK750G60N1vg7OGb9hHZd33BNmiVPs7kmTaJq8m?= =?us-ascii?Q?FJddauqg6A293VAlxrY06OOyq1adux5W4X09QNBmGvkIgrxcavDlQE4bi6/K?= =?us-ascii?Q?4E1gmI0v9Or1fDXBJjFWVjJ2tmA47SNzqLoDPXsM2b2npk04vbI6Wo9mPGF7?= =?us-ascii?Q?qGtk6Rk0Z852q+V+9ZbwPp0WJfl5Ix9ALzNCQRqt/pZ8q+KatI0H45NY3TsW?= =?us-ascii?Q?oYaWjKHr0WjqrMuhhK4lkb4ZJDQsuDftjh1QvVxOdKGNAI6GH7rd+cyUni+5?= =?us-ascii?Q?HIWsb/cjF7+PxwgAq5abkWt3Q37IauHL33pHeOq1vamzShqWV66+/gE9U892?= =?us-ascii?Q?Voyfbko6AqSsvgsRDCF5oB//iaC2fLGqwRLAAqx0FB3WhEf82WR68tUcHU3Z?= =?us-ascii?Q?ztAHxkB3ZwqrJsW+4dAG17djuXfcUgGvDLj0LCBufM3t8Q0ebPlmpTRzV5dJ?= =?us-ascii?Q?c9dhsHwBuPHPBQygKoA2xrDqke7WI191Z/N+CZ2qVy4qi7pZpEq6r7cPoi6+?= =?us-ascii?Q?R0mhrWft0qx3Que7gj4jQxY3mJDrkHQtEdLlhes54LCtLto6uR1D/3jwbMVR?= =?us-ascii?Q?esHyFdOl0NX/Q9tCMfrcG2YBItkjS7q6l8gIRYPTL9RMVHGojQaFdHBy6Cv5?= =?us-ascii?Q?gdvtUSIJ9oKne3GC9M0653tPCmgQpEA7h8bbInhH4QLNIgOabbE0XAVQeMgc?= =?us-ascii?Q?3fR2aNuHTakcJ5SOzKfMfBP+9uVuFyvuPsOkhAH8v1WZB6FCU5JkyaC0YsIR?= =?us-ascii?Q?Xx9WH7xkxXMTOO6jvRBmdowbtEBnSZ22bZZRbtAs?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN7PR11MB8281.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b4bd0c3e-40b8-4985-11e0-08dc235ce249 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2024 19:35:01.9802 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: t8WotdUh5JZDDmmNIigCtzkoISUbE5dkbMYjuY3rho2U6izPmhTJUGv7Xm5vpR7WElBK9wRiT+3Xah86kZO8oYXPVSQVtapO6fodVO4jrBg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4734 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,saloni.kasbekar@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 2isU5dPHxHkd1kgkOMRPttkix7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=OYFGtXYw; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Reviewed-by: Saloni Kasbekar -----Original Message----- From: Douglas Flick [MSFT] =20 Sent: Thursday, January 25, 2024 1:55 PM To: devel@edk2.groups.io Cc: Douglas Flick [MSFT] ; Kasbekar, Saloni ; Clark-williams, Zachary Subject: [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-452= 30 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4535 Bug Details: PixieFail Bug #2 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory B= uffer Changes Overview: > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are = adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet // if ( =20 > + (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++ NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 78 +++--- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++---------- NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++----- 4 files changed, 666 insertions(+), 237 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Imp= l.h index 0eb9c669b5a1..f2422c2f2827 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h @@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #defin= e DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') +//+// For mo= re information on DHCP options see RFC 8415, Section 21.1+//+// The format = of DHCP options is:+//+// 0 1 2 = 3+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5= 6 7 8 9 0 1+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-+-+-+-++// | option-code | option-len = |+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-= +-++// | option-data |= +// | (option-len octets) |+//= +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++//+#d= efine DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))+#define DHCP6_SIZE_OF_OPT_LE= N (sizeof(UINT16))++//+// Combined size of Code and Length+//+#define DHC= P6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \+ = DHCP6_SIZE_OF_OPT_LEN)++STATIC_ASSERT (+ = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN =3D=3D 4,+ "Combined size of Code and = Length must be 4 per RFC 8415"+ );++//+// Offset to the length is just pas= t the code+//+#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)= +STATIC_ASSERT (+ DHCP6_OPT_LEN_OFFSET (0) =3D=3D 2,+ "Offset of length i= s + 2 past start of option"+ );++#define DHCP6_OPT_DATA_OFFSET(a) (a + DH= CP6_SIZE_OF_COMBINED_CODE_AND_LEN)+STATIC_ASSERT (+ DHCP6_OPT_DATA_OFFSET = (0) =3D=3D 4,+ "Offset to option data should be +4 from start of option"+ = );+ #define DHCP6_PACKET_ALL 0 #define DHCP6_PACKET_STATEFUL 1 #d= efine DHCP6_PACKET_STATELESS 2diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utilit= y.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h index 046454ff4ac2..06947f6c1fcf 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h @@ -160,69 +160,85 @@ Dhcp6OnTransmitted ( ); /**- Append the appointed option to the buf, and move the buf to th= e end.+ Append the option to Buf, update the length of packet, and move Bu= f to the end. - @param[in, out] Buf The pointer to buffer.- @pa= ram[in] OptType The option type.- @param[in] OptLen = The length of option content.s- @param[in] Data The pointer= to the option content.-- @return Buf The position to ap= pend the next option.+ @param[in, out] Packet A pointer to the pac= ket, on success Packet->Length+ will be upd= ated.+ @param[in, out] PacketCursor The pointer in the packet, on succes= s PacketCursor+ will be moved to the end of= the option.+ @param[in] OptType The option type.+ @param[in]= OptLen The length of option contents.+ @param[in] Data = The pointer to the option content. + @retval EFI_INVALID_PARAM= ETER An argument provided to the function was invalid+ @retval EFI_BUFFE= R_TOO_SMALL The buffer is too small to append the option.+ @retval EFI_= SUCCESS The option is appended successfully. **/-UINT8 *+EFI_STAT= US Dhcp6AppendOption (- IN OUT UINT8 *Buf,- IN UINT16 OptType,- I= N UINT16 OptLen,- IN UINT8 *Data+ IN OUT EFI_DHCP6_PACKET *Pa= cket,+ IN OUT UINT8 **PacketCursor,+ IN UINT16 = OptType,+ IN UINT16 OptLen,+ IN UINT8 *Da= ta ); /**- Append the Ia option to Buf, and move Buf to the end.-- @pa= ram[in, out] Buf The pointer to the position to append.+ Append = the appointed Ia option to Buf, update the Ia option length, and move Buf+ = to the end of the option.+ @param[in, out] Packet A pointer to the= packet, on success Packet->Length+ will be = updated.+ @param[in, out] PacketCursor The pointer in the packet, on suc= cess PacketCursor+ will be moved to the end= of the option. @param[in] Ia The pointer to the Ia. @p= aram[in] T1 The time of T1. @param[in] T2 = The time of T2. @param[in] MessageType Message type of DHCP6 pack= age. - @return Buf The position to append the next Ia op= tion.-+ @retval EFI_INVALID_PARAMETER An argument provided to the functi= on was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to= append the option.+ @retval EFI_SUCCESS The option is appende= d successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendIaOption (- IN OUT UINT8= *Buf,- IN EFI_DHCP6_IA *Ia,- IN UINT32 T1,- IN = UINT32 T2,- IN UINT32 MessageType+ IN OUT EFI_DHCP6= _PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN EFI_D= HCP6_IA *Ia,+ IN UINT32 T1,+ IN UINT32 = T2,+ IN UINT32 MessageType ); /** Append the appointe= d Elapsed time option to Buf, and move Buf to the end. - @param[in, out] B= uf The pointer to the position to append.+ @param[in, out] Packe= t A pointer to the packet, on success Packet->Length+ @param[in, ou= t] PacketCursor The pointer in the packet, on success PacketCursor+ = will be moved to the end of the option. @param= [in] Instance The pointer to the Dhcp6 instance. @param[out] = Elapsed The pointer to the elapsed time value in = the generated packet. - @return Buf The = position to append the next Ia option.+ @retval EFI_INVALID_PARAMETER An= argument provided to the function was invalid+ @retval EFI_BUFFER_TOO_S= MALL The buffer is too small to append the option.+ @retval EFI_SUCCESS= The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhc= p6AppendETOption (- IN OUT UINT8 *Buf,- IN DHCP6_INSTANCE = *Instance,- OUT UINT16 **Elapsed+ IN OUT EFI_DHCP6_PACKET *P= acket,+ IN OUT UINT8 **PacketCursor,+ IN DHCP6_INSTANCE = *Instance,+ OUT UINT16 **Elapsed ); /** Set the elaps= ed time based on the given instance and the pointer to the elapsed time o= ption. - @param[in] Elapsed The pointer to the position to appe= nd.- @param[in] Instance The pointer to the Dhcp6 instance.+ @r= etval EFI_INVALID_PARAMETER An argument provided to the function was inva= lid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the= option.+ @retval EFI_SUCCESS The option is appended successfu= lly. **/ VOID SetElapsedTime (diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/= NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index dcd01e6268b1..bf5aa7a769de 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -3,9 +3,9 @@ (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copy= right (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyri= ght (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Pate= nt- **/ #include "Dhcp6Impl.h"@@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); i= f (Packet =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EF= I_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = =3D DHCP6_BASE_PACKET_SIZE + UserLen;@@ -944,54 +945,64 @@ Dhcp6SendS= olicitMsg ( Cursor =3D Packet->Dhcp6.Option; Length =3D HTONS (ClientId->Length);= - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6Ap= pendOption (+ Packet,+ &Cursor, HTONS = (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor =3D = Dhcp6AppendETOption (- Cursor,+ Status =3D Dhcp6AppendETOption= (+ Packet,+ &Cursor, Instance, = &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERR= OR;+ } - Cursor =3D Dhcp6AppendIaOption (- Cursor,+ Status = =3D Dhcp6AppendIaOption (+ Packet,+ &Cursor, = Instance->IaCb.Ia, Instance->IaCb.T1, Inst= ance->IaCb.T2, Packet->Dhcp6.Header.MessageType )= ;+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user= -defined when configurate Dhcp6 service. // for (Index =3D 0; Index < I= nstance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->= OptionList[Index];- Cursor =3D Dhcp6AppendOption (- Curs= or,+ Status =3D Dhcp6AppendOption (+ Packet,+ = &Cursor, UserOpt->OpCode, UserOpt->OpL= en, UserOpt->Data );+ if (EFI_ERROR (Sta= tus)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length= of packet.- //- Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Opti= on); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to u= ser with the packet to be sent and check the user's feedback. // Status= =3D Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet);- if (EFI_ER= ROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR= ; } //@@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg ( Instance->StartTime =3D 0; Status =3D Dhcp6TransmitPacket (Instance, = Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- r= eturn Status;+ goto ON_ERROR; } //@@ -1020,6 +1029,14 @@ Dhcp6SendS= olicitMsg ( Elapsed, Instance->Config->SolicitRetransmission = );++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return= Status; } /**@@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); i= f (Packet =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EF= I_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = =3D DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1124,51 +1142,67 @@ Dhcp6Sen= dRequestMsg ( Cursor =3D Packet->Dhcp6.Option; Length =3D HTONS (ClientId->Length);= - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6Ap= pendOption (+ Packet,+ &Cursor, HTONS = (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor =3D = Dhcp6AppendETOption (- Cursor,+ Status =3D Dhcp6AppendETOption= (+ Packet,+ &Cursor, Instance, = &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERR= OR;+ } - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D= Dhcp6AppendOption (+ Packet,+ &Cursor, = HTONS (Dhcp6OptServerId), ServerId->Length, Ser= verId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+= } - Cursor =3D Dhcp6AppendIaOption (- Cursor,+ Status =3D D= hcp6AppendIaOption (+ Packet,+ &Cursor, = Instance->IaCb.Ia, Instance->IaCb.T1, Instance-= >IaCb.T2, Packet->Dhcp6.Header.MessageType );+ i= f (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user-defi= ned when configurate Dhcp6 service. // for (Index =3D 0; Index < Instan= ce->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->Optio= nList[Index];- Cursor =3D Dhcp6AppendOption (- Cursor,+ = Status =3D Dhcp6AppendOption (+ Packet,+ = &Cursor, UserOpt->OpCode, UserOpt->OpLen, = UserOpt->Data );+ if (EFI_ERROR (Status))= {+ goto ON_ERROR;+ } } - //- // Determine the size/length of p= acket.- //- Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); = ASSERT (Packet->Size > Packet->Length + 8); //@@ -1177,8 +1211,7 @@ Dh= cp6SendRequestMsg ( Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet); i= f (EFI_ERROR (Status)) {- FreePool (Packet);- return Status;+ goto= ON_ERROR; } //@@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg ( Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); if (EFI_E= RROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERRO= R; } // // Enqueue the sent packet for the retransmission in case re= ply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NU= LL);++ON_ERROR:++ if (Packet) {+ FreePool (Packet);+ }++ return Statu= s; } /**@@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet = =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EFI_OUT_OF_R= ESOURCES;+ goto ON_ERROR; } Packet->Size =3D = DHCP6_BASE_PACKET_SIZE;@@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg ( Cursor =3D Packet->Dhcp6.Option; Length =3D HTONS (ClientId->Length);= - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6Ap= pendOption (+ Packet,+ &Cursor, HTONS = (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor =3D = Dhcp6AppendETOption (- Cursor,+ Status =3D Dhcp6AppendETOption= (+ Packet,+ &Cursor, Instance, = &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERR= OR;+ } - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D= Dhcp6AppendOption (+ Packet,+ &Cursor, = HTONS (Dhcp6OptServerId), ServerId->Length, Ser= verId->Duid );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+= } - Cursor =3D Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.H= eader.MessageType);+ Status =3D Dhcp6AppendIaOption (+ Packet,= + &Cursor,+ DecIa,+ 0,+ 0,+= Packet->Dhcp6.Header.MessageType+ );+ if (EFI_ERR= OR (Status)) {+ goto ON_ERROR;+ } - //- // Determine the size/length = of packet.- //- Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Optio= n); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to us= er with the packet to be sent and check the user's feedback. // Status = =3D Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet);- if (EFI_ERR= OR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR;= } //@@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg ( Instance->StartTime =3D 0; Status =3D Dhcp6TransmitPacket (Instance, = Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- r= eturn Status;+ goto ON_ERROR; } // // Enqueue the sent packet for= the retransmission in case reply timeout. // return Dhcp6EnqueueRetry = (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool= (Packet);+ }++ return Status; } /**@@ -1399,7 +1462,8 @@ Dhcp6SendRelea= seMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet = =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EFI_OUT_OF_R= ESOURCES;+ goto ON_ERROR; } Packet->Size =3D = DHCP6_BASE_PACKET_SIZE;@@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg ( Cursor =3D Packet->Dhcp6.Option; Length =3D HTONS (ClientId->Length);= - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6Ap= pendOption (+ Packet,+ &Cursor, HTONS = (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Ser= verId is extracted from packet, it's network order. //- Cursor =3D Dhcp6= AppendOption (- Cursor,+ Status =3D Dhcp6AppendOption (+ = Packet,+ &Cursor, HTONS (Dhcp6OptServerId),= ServerId->Length, ServerId->Duid );= + if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor =3D Dhcp6Appe= ndETOption (- Cursor,+ Status =3D Dhcp6AppendETOption (+ = Packet,+ &Cursor, Instance, &E= lapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } -= Cursor =3D Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Header= .MessageType);+ Status =3D Dhcp6AppendIaOption (+ Packet,+ = &Cursor,+ RelIa,+ 0,+ 0,+ = Packet->Dhcp6.Header.MessageType+ );+ if (EFI_ERROR (S= tatus)) {+ goto ON_ERROR;+ } - //- // Determine the size/length of pa= cket- //- Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); = ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user wit= h the packet to be sent and check the user's feedback. // Status =3D Dh= cp6CallbackUser (Instance, Dhcp6SendRelease, &Packet);- if (EFI_ERROR (St= atus)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; } = //@@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg ( Instance->IaCb.Ia->State =3D Dhcp6Releasing; Status =3D Dhcp6Transmit= Packet (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePo= ol (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue t= he sent packet for the retransmission in case reply timeout. // return = Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Pack= et) {+ FreePool (Packet);+ }++ return Status; } /**@@ -1529,7 +1615,8= @@ Dhcp6SendRenewRebindMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); i= f (Packet =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EF= I_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = =3D DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1543,26 +1630,38 @@ Dhcp6Sen= dRenewRebindMsg ( Cursor =3D Packet->Dhcp6.Option; Length =3D HTONS (ClientId->Length);= - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6Ap= pendOption (+ Packet,+ &Cursor, HTONS = (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor =3D = Dhcp6AppendETOption (- Cursor,+ Status =3D Dhcp6AppendETOption= (+ Packet,+ &Cursor, Instance, = &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERR= OR;+ } - Cursor =3D Dhcp6AppendIaOption (- Cursor,+ Status = =3D Dhcp6AppendIaOption (+ Packet,+ &Cursor, = Instance->IaCb.Ia, Instance->IaCb.T1, Inst= ance->IaCb.T2, Packet->Dhcp6.Header.MessageType )= ;+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } if (!RebindRequest)= { //@@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg ( Dhcp6OptServerId ); if (Option =3D=3D NU= LL) {- FreePool (Packet);- return EFI_DEVICE_ERROR;+ Status = =3D EFI_DEVICE_ERROR;+ goto ON_ERROR; } ServerId =3D (EFI_DHC= P6_DUID *)(Option + 2); - Cursor =3D Dhcp6AppendOption (- = Cursor,+ Status =3D Dhcp6AppendOption (+ Packet,+ = &Cursor, HTONS (Dhcp6OptServerId), Serv= erId->Length, ServerId->Duid );+ if (EFI_E= RROR (Status)) {+ goto ON_ERROR;+ } } //@@ -1597,18 +1700,18 @= @ Dhcp6SendRenewRebindMsg ( // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) {= UserOpt =3D Instance->Config->OptionList[Index];- Cursor =3D Dhcp6= AppendOption (- Cursor,+ Status =3D Dhcp6AppendOption (+= Packet,+ &Cursor, UserOpt->O= pCode, UserOpt->OpLen, UserOpt->Data = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } } -= //- // Determine the size/length of packet.- //- Packet->Length +=3D (= UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Le= ngth + 8); //@@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg ( Event =3D (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing; = Status =3D Dhcp6CallbackUser (Instance, Event, &Packet);- if (EFI_ERROR = (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR; = } //@@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg ( Instance->StartTime =3D 0; Status =3D Dhcp6TransmitPacket (Instance, = Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- r= eturn Status;+ goto ON_ERROR; } // // Enqueue the sent packet for= the retransmission in case reply timeout. // return Dhcp6EnqueueRetry = (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool= (Packet);+ }++ return Status; } /**@@ -1811,7 +1918,8 @@ Dhcp6SendInfoR= equestMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); i= f (Packet =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EF= I_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = =3D DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1828,44 +1936,56 @@ Dhcp6Sen= dInfoRequestMsg ( if (SendClientId) { Length =3D HTONS (ClientId->Length);- Cursor= =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6AppendO= ption (+ Packet,+ &Cursor, HTONS= (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } = } - Cursor =3D Dhcp6AppendETOption (- Cursor,+ Status =3D Dh= cp6AppendETOption (+ Packet,+ &Cursor, = Instance, &Elapsed );+ if (EFI_ERROR (Status)) = {+ goto ON_ERROR;+ } - Cursor =3D Dhcp6AppendOption (- Cur= sor,+ Status =3D Dhcp6AppendOption (+ Packet,+ &Cu= rsor, OptionRequest->OpCode, OptionRequest->OpLen= , OptionRequest->Data );+ if (EFI_ERROR (Status)= ) {+ goto ON_ERROR;+ } // // Append user-defined when configurate = Dhcp6 service. // for (Index =3D 0; Index < OptionCount; Index++) { = UserOpt =3D OptionList[Index];- Cursor =3D Dhcp6AppendOption (- = Cursor,+ Status =3D Dhcp6AppendOption (+ Packet= ,+ &Cursor, UserOpt->OpCode, = UserOpt->OpLen, UserOpt->Data );+ if (E= FI_ERROR (Status)) {+ goto ON_ERROR;+ } } - //- // Determine th= e size/length of packet.- //- Packet->Length +=3D (UINT32)(Cursor - Packe= t->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); //@@ -18= 77,16 +1997,22 @@ Dhcp6SendInfoRequestMsg ( // Send info-request packet with no state. // Status =3D Dhcp6Transm= itPacket (Instance, Packet, Elapsed);- if (EFI_ERROR (Status)) {- Free= Pool (Packet);- return Status;+ goto ON_ERROR; } // // Enqueue= the sent packet for the retransmission in case reply timeout. // retur= n Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission);++ON_ERROR:= ++ if (Packet) {+ FreePool (Packet);+ }++ return Status; } /**@@ -19= 37,7 +2063,8 @@ Dhcp6SendConfirmMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); i= f (Packet =3D=3D NULL) {- return EFI_OUT_OF_RESOURCES;+ Status =3D EF= I_OUT_OF_RESOURCES;+ goto ON_ERROR; } Packet->Size = =3D DHCP6_BASE_PACKET_SIZE + UserLen;@@ -1951,54 +2078,64 @@ Dhcp6Sen= dConfirmMsg ( Cursor =3D Packet->Dhcp6.Option; Length =3D HTONS (ClientId->Length);= - Cursor =3D Dhcp6AppendOption (- Cursor,+ Status =3D Dhcp6Ap= pendOption (+ Packet,+ &Cursor, HTONS = (Dhcp6OptClientId), Length, ClientId->Duid = );+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } - Cursor =3D = Dhcp6AppendETOption (- Cursor,+ Status =3D Dhcp6AppendETOption= (+ Packet,+ &Cursor, Instance, = &Elapsed );+ if (EFI_ERROR (Status)) {+ goto ON_ERR= OR;+ } - Cursor =3D Dhcp6AppendIaOption (- Cursor,+ Status = =3D Dhcp6AppendIaOption (+ Packet,+ &Cursor, = Instance->IaCb.Ia, Instance->IaCb.T1, Inst= ance->IaCb.T2, Packet->Dhcp6.Header.MessageType )= ;+ if (EFI_ERROR (Status)) {+ goto ON_ERROR;+ } // // Append user= -defined when configurate Dhcp6 service. // for (Index =3D 0; Index < I= nstance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->= OptionList[Index];- Cursor =3D Dhcp6AppendOption (- Curs= or,+ Status =3D Dhcp6AppendOption (+ Packet,+ = &Cursor, UserOpt->OpCode, UserOpt->OpL= en, UserOpt->Data );+ if (EFI_ERROR (Sta= tus)) {+ goto ON_ERROR;+ } } - //- // Determine the size/length= of packet.- //- Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Opti= on); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to u= ser with the packet to be sent and check the user's feedback. // Status= =3D Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet);- if (EFI_ER= ROR (Status)) {- FreePool (Packet);- return Status;+ goto ON_ERROR= ; } //@@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg ( Instance->StartTime =3D 0; Status =3D Dhcp6TransmitPacket (Instance, = Packet, Elapsed);- if (EFI_ERROR (Status)) {- FreePool (Packet);- r= eturn Status;+ goto ON_ERROR; } // // Enqueue the sent packet for= the retransmission in case reply timeout. // return Dhcp6EnqueueRetry = (Instance, Packet, Elapsed, NULL);++ON_ERROR:++ if (Packet) {+ FreePool= (Packet);+ }++ return Status; } /**diff --git a/NetworkPkg/Dhcp6Dxe/Dhc= p6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c index e6368b5b1c6c..705c665c519d 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c @@ -577,24 +577,33 @@ Dhcp6OnTransmitted ( } /**- Append the option to Buf, and move Buf to the end.+ Append the o= ption to Buf, update the length of packet, and move Buf to the end. - @par= am[in, out] Buf The pointer to the buffer.- @param[in] OptT= ype The option type.- @param[in] OptLen The length of op= tion contents.- @param[in] Data The pointer to the option co= ntent.+ @param[in, out] Packet A pointer to the packet, on success= Packet->Length+ will be updated.+ @param[= in, out] PacketCursor The pointer in the packet, on success PacketCursor+= will be moved to the end of the option.+ = @param[in] OptType The option type.+ @param[in] OptLen = The length of option contents.+ @param[in] Data The p= ointer to the option content. - @return Buf The position= to append the next option.+ @retval EFI_INVALID_PARAMETER An argument p= rovided to the function was invalid+ @retval EFI_BUFFER_TOO_SMALL The b= uffer is too small to append the option.+ @retval EFI_SUCCESS = The option is appended successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendOpt= ion (- IN OUT UINT8 *Buf,- IN UINT16 OptType,- IN UINT16 Opt= Len,- IN UINT8 *Data+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT UI= NT8 **PacketCursor,+ IN UINT16 OptType,+ IN = UINT16 OptLen,+ IN UINT8 *Data ) {+ UINT32= Length;+ UINT32 BytesNeeded;+ // // The format of Dhcp6 option: = //@@ -607,35 +616,95 @@ Dhcp6AppendOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ = // - ASSERT (OptLen !=3D 0);+ //+ // Verify the arguments are valid+ = //+ if (Packet =3D=3D NULL) {+ return EFI_INVALID_PARAMETER;+ } - Wri= teUnaligned16 ((UINT16 *)Buf, OptType);- Buf +=3D 2;- WriteUnaligned16 ((= UINT16 *)Buf, OptLen);- Buf +=3D 2;- CopyMem (Buf, Data, NTOHS (OptLen));= - Buf +=3D NTOHS (OptLen);+ if ((PacketCursor =3D=3D NULL) || (*PacketCur= sor =3D=3D NULL)) {+ return EFI_INVALID_PARAMETER;+ } - return Buf;+ = if (Data =3D=3D NULL) {+ return EFI_INVALID_PARAMETER;+ }++ if (OptLen= =3D=3D 0) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Verify the Pa= cketCursor is within the packet+ //+ if ( (*PacketCursor < Packet->Dhcp6= .Option)+ || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size -= sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ = //+ // Calculate the bytes needed for the option+ //+ BytesNeeded =3D DH= CP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen);++ //+ // Space remain= ing in the packet+ //+ Length =3D Packet->Size - Packet->Length;+ if (Le= ngth < BytesNeeded) {+ return EFI_BUFFER_TOO_SMALL;+ }++ //+ // Verif= y the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Packe= t->Dhcp6.Option)+ || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet= ->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMETER;= + }++ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);+ *PacketCurso= r +=3D DHCP6_SIZE_OF_OPT_CODE;+ WriteUnaligned16 ((UINT16 *)*PacketCursor,= OptLen);+ *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN;+ CopyMem (*PacketCur= sor, Data, NTOHS (OptLen));+ *PacketCursor +=3D NTOHS (OptLen);++ // Upda= te the packet length by the length of the option + 4 bytes+ Packet->Length= +=3D BytesNeeded;++ return EFI_SUCCESS; } /** Append the appointed IA = Address option to Buf, and move Buf to the end. - @param[in, out] Buf = The pointer to the position to append.+ @param[in, out] Packet = A pointer to the packet, on success Packet->Length+ = will be updated.+ @param[in, out] PacketCursor The pointer in t= he packet, on success PacketCursor+ will be = moved to the end of the option. @param[in] IaAddr The pointer= to the IA Address. @param[in] MessageType Message type of DHCP6 p= ackage. - @return Buf The position to append the next op= tion.+ @retval EFI_INVALID_PARAMETER An argument provided to the functio= n was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to = append the option.+ @retval EFI_SUCCESS The option is appended= successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendIaAddrOption (- IN OUT U= INT8 *Buf,+ IN OUT EFI_DHCP6_PACKET *Packet,+ IN OUT= UINT8 **PacketCursor, IN EFI_DHCP6_IA_ADDRESS *IaAd= dr, IN UINT32 MessageType ) {+ UINT32 BytesNeeded;= + UINT32 Length;+ // The format of the IA Address option is: // //= 0 1 2 3@@ -657= ,17 +726,60 @@ Dhcp6AppendIaAddrOption ( // . = . // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+= -+ + //+ // Verify the arguments are valid+ //+ if (Packet =3D=3D NULL)= {+ return EFI_INVALID_PARAMETER;+ }++ if ((PacketCursor =3D=3D NULL) = || (*PacketCursor =3D=3D NULL)) {+ return EFI_INVALID_PARAMETER;+ }++ = if (IaAddr =3D=3D NULL) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // = Verify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < = Packet->Dhcp6.Option)+ || (*PacketCursor >=3D Packet->Dhcp6.Option + (P= acket->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAM= ETER;+ }++ BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;+ BytesN= eeded +=3D sizeof (EFI_IPv6_ADDRESS);+ //+ // Even if the preferred-lifet= ime is 0, it still needs to store it.+ //+ BytesNeeded +=3D sizeof (IaAdd= r->PreferredLifetime);+ //+ // Even if the valid-lifetime is 0, it still = needs to store it.+ //+ BytesNeeded +=3D sizeof (IaAddr->ValidLifetime);+= + //+ // Space remaining in the packet+ //+ Length =3D Packet->Size - P= acket->Length;+ if (Length < BytesNeeded) {+ return EFI_BUFFER_TOO_SMAL= L;+ }+ // // Fill the value of Ia Address option type //- WriteUnal= igned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr));- Buf +=3D 2;+ WriteUnali= gned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr));+ *PacketCursor += =3D DHCP6_SIZE_OF_OPT_CODE; - WriteUnaligned16 ((UINT16 *)Buf, HTONS (size= of (EFI_DHCP6_IA_ADDRESS)));- Buf +=3D 2;+ WriteUnaligned16 ((UINT16 *)*P= acketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));+ *PacketCursor +=3D D= HCP6_SIZE_OF_OPT_LEN; - CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6= _ADDRESS));- Buf +=3D sizeof (EFI_IPv6_ADDRESS);+ CopyMem (*PacketCursor,= &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));+ *PacketCursor +=3D sizeo= f (EFI_IPv6_ADDRESS); // // Fill the value of preferred-lifetime and v= alid-lifetime.@@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption ( // should set to 0 when initiate a Confirm message. // if (MessageTy= pe !=3D Dhcp6MsgConfirm) {- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAd= dr->PreferredLifetime));+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTO= NL (IaAddr->PreferredLifetime)); } - Buf +=3D 4;+ *PacketCursor +=3D si= zeof (IaAddr->PreferredLifetime); if (MessageType !=3D Dhcp6MsgConfirm) = {- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime));+ = WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime)); = } - Buf +=3D 4;+ *PacketCursor +=3D sizeof (IaAddr->ValidLifetime); - = return Buf;+ //+ // Update the packet length+ //+ Packet->Length +=3D B= ytesNeeded;++ return EFI_SUCCESS; } /** Append the appointed Ia option = to Buf, and move Buf to the end. - @param[in, out] Buf The point= er to the position to append.+ @param[in, out] Packet A pointer to = the packet, on success Packet->Length+ will = be updated.+ @param[in, out] PacketCursor The pointer in the packet, on s= uccess PacketCursor+ will be moved to the en= d of the option. @param[in] Ia The pointer to the Ia. @= param[in] T1 The time of T1. @param[in] T2 = The time of T2. @param[in] MessageType Message type of DHCP6 pac= kage. - @return Buf The position to append the next Ia o= ption.+ @retval EFI_INVALID_PARAMETER An argument provided to the functi= on was invalid+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to= append the option.+ @retval EFI_SUCCESS The option is appende= d successfully. **/-UINT8 *+EFI_STATUS Dhcp6AppendIaOption (- IN OUT UINT= 8 *Buf,- IN EFI_DHCP6_IA *Ia,- IN UINT32 T1,- IN= UINT32 T2,- IN UINT32 MessageType+ IN OUT EFI_DHCP= 6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN EFI_= DHCP6_IA *Ia,+ IN UINT32 T1,+ IN UINT32 = T2,+ IN UINT32 MessageType ) {- UINT8 *AddrOpt;- UI= NT16 *Len;- UINTN Index;+ UINT8 *AddrOpt;+ UINT16 *Len;+ = UINTN Index;+ UINT32 BytesNeeded;+ UINT32 Length;+ EFI_S= TATUS Status; // // The format of IA_NA and IA_TA option:@@ -733,32 = +859,74 @@ Dhcp6AppendIaOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ = // + //+ // Verify the arguments are valid+ //+ if (Packet =3D=3D NUL= L) {+ return EFI_INVALID_PARAMETER;+ }++ if ((PacketCursor =3D=3D NULL= ) || (*PacketCursor =3D=3D NULL)) {+ return EFI_INVALID_PARAMETER;+ }++= if (Ia =3D=3D NULL) {+ return EFI_INVALID_PARAMETER;+ }++ //+ // Ve= rify the PacketCursor is within the packet+ //+ if ( (*PacketCursor < Pa= cket->Dhcp6.Option)+ || (*PacketCursor >=3D Packet->Dhcp6.Option + (Pac= ket->Size - sizeof (EFI_DHCP6_HEADER))))+ {+ return EFI_INVALID_PARAMET= ER;+ }++ BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;+ BytesNee= ded +=3D sizeof (Ia->Descriptor.IaId);+ //+ // + N for the IA_NA-options/= IA_TA-options+ // Dhcp6AppendIaAddrOption will need to check the length fo= r each address+ //+ if (Ia->Descriptor.Type =3D=3D Dhcp6OptIana) {+ By= tesNeeded +=3D sizeof (T1) + sizeof (T2);+ }++ //+ // Space remaining in= the packet+ //+ Length =3D (UINT16)(Packet->Size - Packet->Length);+ if= (Length < BytesNeeded) {+ return EFI_BUFFER_TOO_SMALL;+ }+ // // F= ill the value of Ia option type //- WriteUnaligned16 ((UINT16 *)Buf, HTO= NS (Ia->Descriptor.Type));- Buf +=3D 2;+ WriteUnaligned16 ((UINT16 *)*Pac= ketCursor, HTONS (Ia->Descriptor.Type));+ *PacketCursor +=3D DHCP6_SIZE_OF= _OPT_CODE; // // Fill the len of Ia option later, keep the pointer fir= st //- Len =3D (UINT16 *)Buf;- Buf +=3D 2;+ Len =3D (UINT1= 6 *)*PacketCursor;+ *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; // // F= ill the value of iaid //- WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->De= scriptor.IaId));- Buf +=3D 4;+ WriteUnaligned32 ((UINT32 *)*PacketCursor,= HTONL (Ia->Descriptor.IaId));+ *PacketCursor +=3D sizeof (Ia->Descriptor.= IaId); // // Fill the value of t1 and t2 if iana, keep it 0xffffffff i= f no specified. // if (Ia->Descriptor.Type =3D=3D Dhcp6OptIana) {- W= riteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 !=3D 0) ? T1 : 0xffffffff));- = Buf +=3D 4;- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 !=3D 0) ? T2 := 0xffffffff));- Buf +=3D 4;+ WriteUnaligned32 ((UINT32 *)*PacketCurso= r, HTONL ((T1 !=3D 0) ? T1 : 0xffffffff));+ *PacketCursor +=3D sizeof (T= 1);+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 !=3D 0) ? T2 = : 0xffffffff));+ *PacketCursor +=3D sizeof (T2); } //@@ -766,35 +93= 4,51 @@ Dhcp6AppendIaOption ( // for (Index =3D 0; Index < Ia->IaAddressCount; Index++) { AddrOp= t =3D (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDRESS);- B= uf =3D Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, M= essageType);+ Status =3D Dhcp6AppendIaAddrOption (Packet, PacketCursor,= (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);+ if (EFI_ERROR (Status))= {+ return Status;+ } } // // Fill the value of Ia option le= ngth //- *Len =3D HTONS ((UINT16)(Buf - (UINT8 *)Len - 2));+ *Len =3D H= TONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); - return Buf;+ //+ //= Update the packet length+ //+ Packet->Length +=3D BytesNeeded;++ return= EFI_SUCCESS; } /** Append the appointed Elapsed time option to Buf, and= move Buf to the end. - @param[in, out] Buf The pointer to the p= osition to append.+ @param[in, out] Packet A pointer to the packet,= on success Packet->Length+ @param[in, out] PacketCursor The pointer in t= he packet, on success PacketCursor+ will be = moved to the end of the option. @param[in] Instance The pointer= to the Dhcp6 instance. @param[out] Elapsed The pointer to the = elapsed time value in- the generated packe= t.+ the generated packet. - @return = Buf The position to append the next Ia option.+ @retval EFI_I= NVALID_PARAMETER An argument provided to the function was invalid+ @retval= EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.+ @r= etval EFI_SUCCESS The option is appended successfully. **/-UIN= T8 *+EFI_STATUS Dhcp6AppendETOption (- IN OUT UINT8 *Buf,- IN = DHCP6_INSTANCE *Instance,- OUT UINT16 **Elapsed+ IN OUT E= FI_DHCP6_PACKET *Packet,+ IN OUT UINT8 **PacketCursor,+ IN = DHCP6_INSTANCE *Instance,+ OUT UINT16 **Elapsed ) {+= UINT32 BytesNeeded;+ UINT32 Length;+ // // The format of elapsed = time option: //@@ -806,27 +990,70 @@ Dhcp6AppendETOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // + //+ // Verify the argumen= ts are valid+ //+ if (Packet =3D=3D NULL) {+ return EFI_INVALID_PARAME= TER;+ }++ if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) = {+ return EFI_INVALID_PARAMETER;+ }++ if (Instance =3D=3D NULL) {+ = return EFI_INVALID_PARAMETER;+ }++ if ((Elapsed =3D=3D NULL)) {+ retur= n EFI_INVALID_PARAMETER;+ }++ //+ // Verify the PacketCursor is within t= he packet+ //+ if ( (*PacketCursor < Packet->Dhcp6.Option)+ || (*Pac= ketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEA= DER))))+ {+ return EFI_INVALID_PARAMETER;+ }++ BytesNeeded =3D DHCP6_= SIZE_OF_COMBINED_CODE_AND_LEN;+ //+ // + 2 for elapsed-time+ //+ BytesN= eeded +=3D sizeof (UINT16);+ //+ // Space remaining in the packet+ //+ = Length =3D Packet->Size - Packet->Length;+ if (Length < BytesNeeded) {+ = return EFI_BUFFER_TOO_SMALL;+ }+ // // Fill the value of elapsed-time= option type. //- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapse= dTime));- Buf +=3D 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (= Dhcp6OptElapsedTime));+ *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; // = // Fill the len of elapsed-time option, which is fixed. //- WriteUnalig= ned16 ((UINT16 *)Buf, HTONS (2));- Buf +=3D 2;+ WriteUnaligned16 ((UINT16= *)*PacketCursor, HTONS (2));+ *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; = // // Fill in elapsed time value with 0 value for now. The actual valu= e is // filled in later just before the packet is transmitted. //- Wri= teUnaligned16 ((UINT16 *)Buf, HTONS (0));- *Elapsed =3D (UINT16 *)Buf;- B= uf +=3D 2;+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0));+ *= Elapsed =3D (UINT16 *)*PacketCursor;+ *PacketCursor +=3D sizeof (UIN= T16); - return Buf;+ Packet->Length +=3D BytesNeeded;++ return EFI_SUCCE= SS; } /**--=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114954): https://edk2.groups.io/g/devel/message/114954 Mute This Topic: https://groups.io/mt/103964976/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-