NetworkPkg/DnsDxe: [CVE-2018-12178] Check the received packet size before parsing the message.

Fix CVE-2018-12178
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=809

The DNS driver only checks the received packet size against the
minimum DNS header size in DnsOnPacketReceived(), later it accesses
the QueryName and QuerySection beyond the header scope, which might
cause the pointer within DNS driver points to an invalid entry or
modifies the memory content beyond the header scope.

This patch is to fix above problem.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wang Fan <fan.wang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
This commit is contained in:
Jiaxin Wu
2018-07-02 09:20:56 +08:00
parent 38c9fbdcaa
commit 84110bbe4b
2 changed files with 69 additions and 10 deletions

View File

@@ -583,6 +583,7 @@ IsValidDnsResponse (
@param Instance The DNS instance
@param RxString Received buffer.
@param Length Received buffer length.
@param Completed Flag to indicate that Dns response is valid.
@retval EFI_SUCCESS Parse Dns Response successfully.
@@ -593,6 +594,7 @@ EFI_STATUS
ParseDnsResponse (
IN OUT DNS_INSTANCE *Instance,
IN UINT8 *RxString,
IN UINT32 Length,
OUT BOOLEAN *Completed
);