NetworkPkg: Check for the max DHCP packet length before use it.
This patch updates the PXE and HTTP boot driver to drop the input DHCP packet if it exceed the maximum length. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
This commit is contained in:
@@ -178,10 +178,12 @@ typedef struct {
|
||||
UINT32 Reserved;
|
||||
} HTTP_BOOT_VENDOR_OPTION;
|
||||
|
||||
#define HTTP_CACHED_DHCP4_PACKET_MAX_SIZE (OFFSET_OF (EFI_DHCP4_PACKET, Dhcp4) + HTTP_BOOT_DHCP4_PACKET_MAX_SIZE)
|
||||
|
||||
typedef union {
|
||||
EFI_DHCP4_PACKET Offer;
|
||||
EFI_DHCP4_PACKET Ack;
|
||||
UINT8 Buffer[HTTP_BOOT_DHCP4_PACKET_MAX_SIZE];
|
||||
UINT8 Buffer[HTTP_CACHED_DHCP4_PACKET_MAX_SIZE];
|
||||
} HTTP_BOOT_DHCP4_PACKET;
|
||||
|
||||
typedef struct {
|
||||
|
@@ -427,6 +427,12 @@ HttpBootDhcp6CallBack (
|
||||
|
||||
case Dhcp6RcvdAdvertise:
|
||||
Status = EFI_NOT_READY;
|
||||
if (Packet->Length > HTTP_BOOT_DHCP6_PACKET_MAX_SIZE) {
|
||||
//
|
||||
// Ignore the incoming packets which exceed the maximum length.
|
||||
//
|
||||
break;
|
||||
}
|
||||
if (Private->OfferNum < HTTP_BOOT_OFFER_MAX_NUM) {
|
||||
//
|
||||
// Cache the dhcp offers to OfferBuffer[] for select later, and record
|
||||
|
@@ -75,10 +75,12 @@ typedef union {
|
||||
HTTP_BOOT_DHCP6_OPTION_VENDOR_CLASS *VendorClass;
|
||||
} HTTP_BOOT_DHCP6_OPTION_ENTRY;
|
||||
|
||||
#define HTTP_CACHED_DHCP6_PACKET_MAX_SIZE (OFFSET_OF (EFI_DHCP6_PACKET, Dhcp6) + HTTP_BOOT_DHCP6_PACKET_MAX_SIZE)
|
||||
|
||||
typedef union {
|
||||
EFI_DHCP6_PACKET Offer;
|
||||
EFI_DHCP6_PACKET Ack;
|
||||
UINT8 Buffer[HTTP_BOOT_DHCP6_PACKET_MAX_SIZE];
|
||||
UINT8 Buffer[HTTP_CACHED_DHCP6_PACKET_MAX_SIZE];
|
||||
} HTTP_BOOT_DHCP6_PACKET;
|
||||
|
||||
typedef struct {
|
||||
|
@@ -126,11 +126,11 @@ HttpBootStart (
|
||||
ZeroMem (Private->OfferBuffer, sizeof (Private->OfferBuffer));
|
||||
if (!Private->UsingIpv6) {
|
||||
for (Index = 0; Index < HTTP_BOOT_OFFER_MAX_NUM; Index++) {
|
||||
Private->OfferBuffer[Index].Dhcp4.Packet.Offer.Size = HTTP_BOOT_DHCP4_PACKET_MAX_SIZE;
|
||||
Private->OfferBuffer[Index].Dhcp4.Packet.Offer.Size = HTTP_CACHED_DHCP4_PACKET_MAX_SIZE;
|
||||
}
|
||||
} else {
|
||||
for (Index = 0; Index < HTTP_BOOT_OFFER_MAX_NUM; Index++) {
|
||||
Private->OfferBuffer[Index].Dhcp6.Packet.Offer.Size = HTTP_BOOT_DHCP6_PACKET_MAX_SIZE;
|
||||
Private->OfferBuffer[Index].Dhcp6.Packet.Offer.Size = HTTP_CACHED_DHCP6_PACKET_MAX_SIZE;
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user