sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch

Browse Source 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535

Bug Details:
PixieFail Bug #2
CVE-2023-45230
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds
 of a Memory Buffer

Changes Overview:
> -UINT8 *
> +EFI_STATUS
>  Dhcp6AppendOption (
> -  IN OUT UINT8   *Buf,
> -  IN     UINT16  OptType,
> -  IN     UINT16  OptLen,
> -  IN     UINT8   *Data
> +  IN OUT EFI_DHCP6_PACKET  *Packet,
> +  IN OUT UINT8             **PacketCursor,
> +  IN     UINT16            OptType,
> +  IN     UINT16            OptLen,
> +  IN     UINT8             *Data
>    );

Dhcp6AppendOption() and variants can return errors now.  All callsites
are adapted accordingly.

It gets passed in EFI_DHCP6_PACKET as additional parameter ...

> +  //
> +  // Verify the PacketCursor is within the packet
> +  //
> +  if (  (*PacketCursor < Packet->Dhcp6.Option)
> +     || (*PacketCursor >= Packet->Dhcp6.Option +
 (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
> +  {
> +    return EFI_INVALID_PARAMETER;
> +  }

... so it can look at Packet->Size when checking buffer space.
Also to allow Packet->Length updates.

Lots of checks added.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
This commit is contained in:
Doug Flick via groups.io
2024-01-26 05:54:43 +08:00
committed by mergify[bot]
parent 959f71c801
commit f31453e8d6
4 changed files with 666 additions and 237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
View File

@@ -160,69 +160,85 @@ Dhcp6OnTransmitted (
);
/**
Append the appointed option to the buf, and move the buf to the end.
Append the option to Buf, update the length of packet, and move Buf to the end.
@param[in, out] Buf The pointer to buffer.
@param[in] OptType The option type.
@param[in] OptLen The length of option content.s
@param[in] Data The pointer to the option content.
@return Buf The position to append the next option.
@param[in, out] Packet A pointer to the packet, on success Packet->Length
will be updated.
@param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
will be moved to the end of the option.
@param[in] OptType The option type.
@param[in] OptLen The length of option contents.
@param[in] Data The pointer to the option content.
@retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
@retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
@retval EFI_SUCCESS The option is appended successfully.
**/
UINT8 *
EFI_STATUS
Dhcp6AppendOption (
IN OUT UINT8 *Buf,
IN UINT16 OptType,
IN UINT16 OptLen,
IN UINT8 *Data
IN OUT EFI_DHCP6_PACKET *Packet,
IN OUT UINT8 **PacketCursor,
IN UINT16 OptType,
IN UINT16 OptLen,
IN UINT8 *Data
);
/**
Append the Ia option to Buf, and move Buf to the end.
@param[in, out] Buf The pointer to the position to append.
Append the appointed Ia option to Buf, update the Ia option length, and move Buf
to the end of the option.
@param[in, out] Packet A pointer to the packet, on success Packet->Length
will be updated.
@param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
will be moved to the end of the option.
@param[in] Ia The pointer to the Ia.
@param[in] T1 The time of T1.
@param[in] T2 The time of T2.
@param[in] MessageType Message type of DHCP6 package.
@return Buf The position to append the next Ia option.
@retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
@retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
@retval EFI_SUCCESS The option is appended successfully.
**/
UINT8 *
EFI_STATUS
Dhcp6AppendIaOption (
IN OUT UINT8 *Buf,
IN EFI_DHCP6_IA *Ia,
IN UINT32 T1,
IN UINT32 T2,
IN UINT32 MessageType
IN OUT EFI_DHCP6_PACKET *Packet,
IN OUT UINT8 **PacketCursor,
IN EFI_DHCP6_IA *Ia,
IN UINT32 T1,
IN UINT32 T2,
IN UINT32 MessageType
);
/**
Append the appointed Elapsed time option to Buf, and move Buf to the end.
@param[in, out] Buf The pointer to the position to append.
@param[in, out] Packet A pointer to the packet, on success Packet->Length
@param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
will be moved to the end of the option.
@param[in] Instance The pointer to the Dhcp6 instance.
@param[out] Elapsed The pointer to the elapsed time value in
the generated packet.
@return Buf The position to append the next Ia option.
@retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
@retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
@retval EFI_SUCCESS The option is appended successfully.
**/
UINT8 *
EFI_STATUS
Dhcp6AppendETOption (
IN OUT UINT8 *Buf,
IN DHCP6_INSTANCE *Instance,
OUT UINT16 **Elapsed
IN OUT EFI_DHCP6_PACKET *Packet,
IN OUT UINT8 **PacketCursor,
IN DHCP6_INSTANCE *Instance,
OUT UINT16 **Elapsed
);
/**
Set the elapsed time based on the given instance and the pointer to the
elapsed time option.
@param[in] Elapsed The pointer to the position to append.
@param[in] Instance The pointer to the Dhcp6 instance.
@retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
@retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
@retval EFI_SUCCESS The option is appended successfully.
**/
VOID
SetElapsedTime (