diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index b4e0007926..d25b9734d8 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -2,7 +2,7 @@
Dhcp6 internal functions implementation.
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -2827,6 +2827,10 @@ Dhcp6ReceivePacket (
return ;
}
+ if (Udp6Wrap->TotalSize < sizeof (EFI_DHCP6_HEADER)) {
+ goto ON_CONTINUE;
+ }
+
//
// Copy the net buffer received from upd6 to a Dhcp6 packet.
//
diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
index 19184415e5..4f10e17cf3 100644
--- a/NetworkPkg/DnsDxe/DnsImpl.c
+++ b/NetworkPkg/DnsDxe/DnsImpl.c
@@ -1615,6 +1615,10 @@ DnsOnPacketReceived (
}
ASSERT (Packet != NULL);
+
+ if (Packet->TotalSize <= sizeof (DNS_HEADER)) {
+ goto ON_EXIT;
+ }
RcvString = NetbufGetByte (Packet, 0, NULL);
ASSERT (RcvString != NULL);
@@ -1624,15 +1628,15 @@ DnsOnPacketReceived (
//
ParseDnsResponse (Instance, RcvString, &Completed);
- ON_EXIT:
+ON_EXIT:
- if (Packet != NULL) {
- NetbufFree (Packet);
- }
+ if (Packet != NULL) {
+ NetbufFree (Packet);
+ }
- if (!Completed) {
- UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);
- }
+ if (!Completed) {
+ UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);
+ }
}
/**
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
index d0118f1d88..745ee4cc6e 100644
--- a/NetworkPkg/TcpDxe/TcpInput.c
+++ b/NetworkPkg/TcpDxe/TcpInput.c
@@ -1,7 +1,7 @@
/** @file
TCP input process routines.
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -748,11 +748,18 @@ TcpInput (
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
+
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+ goto DISCARD;
+ }
+
Len = Nbuf->TotalSize - (Head->HeadLen << 2);
if ((Head->HeadLen < 5) || (Len < 0)) {
DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+
goto DISCARD;
}
@@ -1560,6 +1567,10 @@ TcpIcmpInput (
BOOLEAN IcmpErrIsHard;
BOOLEAN IcmpErrNotify;
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ goto CLEAN_EXIT;
+ }
+
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
diff --git a/NetworkPkg/Udp6Dxe/Udp6Impl.c b/NetworkPkg/Udp6Dxe/Udp6Impl.c
index 40e3aff069..7ed50411c6 100644
--- a/NetworkPkg/Udp6Dxe/Udp6Impl.c
+++ b/NetworkPkg/Udp6Dxe/Udp6Impl.c
@@ -1,7 +1,7 @@
/** @file
Udp6 driver's whole implementation.
- Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -1598,6 +1598,11 @@ Udp6Demultiplex (
EFI_UDP6_SESSION_DATA *Udp6Session;
UINTN Enqueued;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
//
// Get the datagram header from the packet buffer.
//
@@ -1619,6 +1624,7 @@ Udp6Demultiplex (
//
// Wrong checksum.
//
+ NetbufFree (Packet);
return;
}
}
@@ -1834,6 +1840,11 @@ Udp6IcmpHandler (
LIST_ENTRY *Entry;
UDP6_INSTANCE_DATA *Instance;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
Udp6Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Udp6Header != NULL);