NetworkPkg/DnsDxe: [CVE-2018-12178] Check the received packet size before parsing the message.
Fix CVE-2018-12178 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809 The DNS driver only checks the received packet size against the minimum DNS header size in DnsOnPacketReceived(), later it accesses the QueryName and QuerySection beyond the header scope, which might cause the pointer within DNS driver points to an invalid entry or modifies the memory content beyond the header scope. This patch is to fix above problem. Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wang Fan <fan.wang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
This commit is contained in:
@@ -583,6 +583,7 @@ IsValidDnsResponse (
|
||||
|
||||
@param Instance The DNS instance
|
||||
@param RxString Received buffer.
|
||||
@param Length Received buffer length.
|
||||
@param Completed Flag to indicate that Dns response is valid.
|
||||
|
||||
@retval EFI_SUCCESS Parse Dns Response successfully.
|
||||
@@ -593,6 +594,7 @@ EFI_STATUS
|
||||
ParseDnsResponse (
|
||||
IN OUT DNS_INSTANCE *Instance,
|
||||
IN UINT8 *RxString,
|
||||
IN UINT32 Length,
|
||||
OUT BOOLEAN *Completed
|
||||
);
|
||||
|
||||
|
Reference in New Issue
Block a user