From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web12.8311.1582089817476518177 for ; Tue, 18 Feb 2020 21:23:37 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: liming.gao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Feb 2020 21:23:37 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,459,1574150400"; d="scan'208";a="408325752" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga005.jf.intel.com with ESMTP; 18 Feb 2020 21:23:36 -0800 Received: from shsmsx602.ccr.corp.intel.com (10.109.6.142) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 18 Feb 2020 21:23:36 -0800 Received: from shsmsx606.ccr.corp.intel.com (10.109.6.216) by SHSMSX602.ccr.corp.intel.com (10.109.6.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 19 Feb 2020 13:23:34 +0800 Received: from shsmsx606.ccr.corp.intel.com ([10.109.6.216]) by SHSMSX606.ccr.corp.intel.com ([10.109.6.216]) with mapi id 15.01.1713.004; Wed, 19 Feb 2020 13:23:34 +0800 From: "Liming Gao" To: "devel@edk2.groups.io" , "Wu, Jiaxin" , "Fu, Siyuan" , Maciej Rabeda Subject: Re: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). Thread-Topic: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). Thread-Index: AQHV5h+gP68Yc6MzGkCgmbU4rMFe1Kgh/Mcw Date: Wed, 19 Feb 2020 05:23:33 +0000 Message-ID: References: <20200218055203.14732-1-Jiaxin.wu@intel.com> In-Reply-To: <20200218055203.14732-1-Jiaxin.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.2.0.6 dlp-product: dlpe-windows dlp-reaction: no-action x-originating-ip: [10.239.127.36] MIME-Version: 1.0 Return-Path: liming.gao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Siyuan and Maciej: Can you help review this patch? I would like to make CVE fix catch this = stable tag edk2 202002. Thanks Liming > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Wu, Jiaxi= n > Sent: Tuesday, February 18, 2020 1:52 PM > To: devel@edk2.groups.io > Cc: Fu, Siyuan ; Maciej Rabeda ; Wu, Jiaxin > Subject: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received p= ackage length (CVE-2019-14559). >=20 > v3: correct the coding style. > v2: correct the commit message & add BZ number. >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1610 >=20 > This patch is to check the received package length to make sure the pack= age > has a valid length field. >=20 > Cc: Fu Siyuan > Cc: Maciej Rabeda > Signed-off-by: Wu Jiaxin > --- > NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++--= ------- > 1 file changed, 37 insertions(+), 9 deletions(-) >=20 > diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c > index fec242c71f..868f04812c 100644 > --- a/NetworkPkg/Ip4Dxe/Ip4Input.c > +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c > @@ -1,9 +1,9 @@ > /** @file > IP4 input process. >=20 > -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.
> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
>=20 > SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > **/ > @@ -709,14 +709,10 @@ Ip4PreProcessPacket ( > UINT16 Checksum; >=20 > // > // Check if the IP4 header is correctly formatted. > // > - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { > - return EFI_INVALID_PARAMETER; > - } > - > HeadLen =3D (Head->HeadLen << 2); > TotalLen =3D NTOHS (Head->TotalLen); >=20 > // > // Mnp may deliver frame trailer sequence up, trim it off. > @@ -806,10 +802,34 @@ Ip4PreProcessPacket ( > } >=20 > return EFI_SUCCESS; > } >=20 > +/** > + This function checks the IPv4 packet length. > + > + @param[in] Packet Pointer to the IPv4 Packet to be che= cked. > + > + @retval TRUE The input IPv4 packet length is valid. > + @retval FALSE The input IPv4 packet length is invali= d. > + > +**/ > +BOOLEAN > +Ip4IsValidPacketLength ( > + IN NET_BUF *Packet > + ) > +{ > + // > + // Check the IP4 packet length. > + // > + if (Packet->TotalSize < IP4_MIN_HEADLEN) { > + return FALSE; > + } > + > + return TRUE; > +} > + > /** > The IP4 input routine. It is called by the IP4_INTERFACE when a > IP4 fragment is received from MNP. >=20 > @param[in] Ip4Instance The IP4 child that request the receive= , most like > @@ -842,10 +862,14 @@ Ip4AccpetFrame ( >=20 > if (EFI_ERROR (IoStatus) || (IpSb->State =3D=3D IP4_SERVICE_DESTROY))= { > goto DROP; > } >=20 > + if (!Ip4IsValidPacketLength (Packet)) { > + goto RESTART; > + } > + > Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); > ASSERT (Head !=3D NULL); > OptionLen =3D (Head->HeadLen << 2) - IP4_MIN_HEADLEN; > if (OptionLen > 0) { > Option =3D (UINT8 *) (Head + 1); > @@ -888,14 +912,18 @@ Ip4AccpetFrame ( > // > // If the packet is protected by tunnel mode, parse the inner Ip Pack= et. > // > ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); > if (0 =3D=3D CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { > - // Packet may have been changed. Head, HeadLen, TotalLen, and > - // info must be reloaded before use. The ownership of the packet > - // is transferred to the packet process logic. > - // > + // Packet may have been changed. Head, HeadLen, TotalLen, and > + // info must be reloaded before use. The ownership of the packet > + // is transferred to the packet process logic. > + // > + if (!Ip4IsValidPacketLength (Packet)) { > + goto RESTART; > + } > + > Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); > ASSERT (Head !=3D NULL); > Status =3D Ip4PreProcessPacket ( > IpSb, > &Packet, > -- > 2.16.2.windows.1 >=20 >=20 >=20