NetworkPkg: Check for the max DHCP packet length before use it.

This patch updates the PXE and HTTP boot driver to drop the input DHCP packet if it exceed the maximum length. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
2016-11-16 13:37:15 +08:00
parent 4f6b33b460
commit 632dcfd685
9 changed files with 91 additions and 18 deletions
--- a/NetworkPkg/HttpBootDxe/HttpBootDhcp4.h
+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp4.h
@@ -178,10 +178,12 @@ typedef struct {
  UINT32         Reserved;
 } HTTP_BOOT_VENDOR_OPTION;

+#define HTTP_CACHED_DHCP4_PACKET_MAX_SIZE  (OFFSET_OF (EFI_DHCP4_PACKET, Dhcp4) + HTTP_BOOT_DHCP4_PACKET_MAX_SIZE)
+
 typedef union {
  EFI_DHCP4_PACKET        Offer;
  EFI_DHCP4_PACKET        Ack;
-  UINT8                   Buffer[HTTP_BOOT_DHCP4_PACKET_MAX_SIZE];
+  UINT8                   Buffer[HTTP_CACHED_DHCP4_PACKET_MAX_SIZE];
 } HTTP_BOOT_DHCP4_PACKET;

 typedef struct {
--- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
@@ -427,6 +427,12 @@ HttpBootDhcp6CallBack (
    
   case Dhcp6RcvdAdvertise:
     Status = EFI_NOT_READY;
+    if (Packet->Length > HTTP_BOOT_DHCP6_PACKET_MAX_SIZE) {
+      //
+      // Ignore the incoming packets which exceed the maximum length.
+      //
+      break;
+    }
     if (Private->OfferNum < HTTP_BOOT_OFFER_MAX_NUM) {
       //
       // Cache the dhcp offers to OfferBuffer[] for select later, and record
--- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.h
+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.h
@@ -75,10 +75,12 @@ typedef union {
  HTTP_BOOT_DHCP6_OPTION_VENDOR_CLASS   *VendorClass;
 } HTTP_BOOT_DHCP6_OPTION_ENTRY;

+#define HTTP_CACHED_DHCP6_PACKET_MAX_SIZE  (OFFSET_OF (EFI_DHCP6_PACKET, Dhcp6) + HTTP_BOOT_DHCP6_PACKET_MAX_SIZE)
+
 typedef union {
  EFI_DHCP6_PACKET        Offer;
  EFI_DHCP6_PACKET        Ack;
-  UINT8                   Buffer[HTTP_BOOT_DHCP6_PACKET_MAX_SIZE];
+  UINT8                   Buffer[HTTP_CACHED_DHCP6_PACKET_MAX_SIZE];
 } HTTP_BOOT_DHCP6_PACKET;

 typedef struct {
--- a/NetworkPkg/HttpBootDxe/HttpBootImpl.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootImpl.c
@@ -126,11 +126,11 @@ HttpBootStart (
  ZeroMem (Private->OfferBuffer, sizeof (Private->OfferBuffer));
  if (!Private->UsingIpv6) {
    for (Index = 0; Index < HTTP_BOOT_OFFER_MAX_NUM; Index++) {
-      Private->OfferBuffer[Index].Dhcp4.Packet.Offer.Size = HTTP_BOOT_DHCP4_PACKET_MAX_SIZE;
+      Private->OfferBuffer[Index].Dhcp4.Packet.Offer.Size = HTTP_CACHED_DHCP4_PACKET_MAX_SIZE;
    }
  } else {
    for (Index = 0; Index < HTTP_BOOT_OFFER_MAX_NUM; Index++) {
-      Private->OfferBuffer[Index].Dhcp6.Packet.Offer.Size = HTTP_BOOT_DHCP6_PACKET_MAX_SIZE;
+      Private->OfferBuffer[Index].Dhcp6.Packet.Offer.Size = HTTP_CACHED_DHCP6_PACKET_MAX_SIZE;
    }
  }