NetworkPkg/DnsDxe: [CVE-2018-12178] Check the received packet size before parsing the message.

Fix CVE-2018-12178 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809 The DNS driver only checks the received packet size against the minimum DNS header size in DnsOnPacketReceived(), later it accesses the QueryName and QuerySection beyond the header scope, which might cause the pointer within DNS driver points to an invalid entry or modifies the memory content beyond the header scope. This patch is to fix above problem. Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Wang Fan <fan.wang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
2018-07-02 09:20:56 +08:00
parent 38c9fbdcaa
commit 84110bbe4b
2 changed files with 69 additions and 10 deletions
--- a/NetworkPkg/DnsDxe/DnsImpl.h
+++ b/NetworkPkg/DnsDxe/DnsImpl.h
@@ -583,6 +583,7 @@ IsValidDnsResponse (

  @param  Instance              The DNS instance
  @param  RxString              Received buffer.
+  @param  Length                Received buffer length.
  @param  Completed             Flag to indicate that Dns response is valid.

  @retval EFI_SUCCESS           Parse Dns Response successfully.
@@ -593,6 +594,7 @@ EFI_STATUS
 ParseDnsResponse (
  IN OUT DNS_INSTANCE              *Instance,
  IN     UINT8                     *RxString,
+  IN     UINT32                    Length,
     OUT BOOLEAN                   *Completed
  );