sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch

Browse Source 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540

Bug Details:
PixieFail Bug #7
CVE-2023-45235
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds of
 a Memory Buffer

Buffer overflow when handling Server ID option from a DHCPv6 proxy
Advertise message

Change Overview:

Performs two checks

1. Checks that the length of the duid is accurate
> + //
> + // Check that the minimum and maximum requirements are met
> + //
> + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) ||
(OpLen > PXEBC_MAX_SIZE_OF_DUID)) {
> +  Status = EFI_INVALID_PARAMETER;
> +  goto ON_ERROR;
> + }

2. Ensures that the amount of data written to the buffer is tracked and
never exceeds that
> + //
> + // Check that the option length is valid.
> + //
> + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN)
 > DiscoverLenNeeded) {
> +     Status = EFI_OUT_OF_RESOURCES;
> +     goto ON_ERROR;
> + }

Additional code clean up and fix for memory leak in case Option was NULL

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
This commit is contained in:
Doug Flick
2024-01-26 05:54:55 +08:00
committed by mergify[bot]
parent 7f04c7a253
commit fac297724e
2 changed files with 78 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
View File

@@ -34,6 +34,23 @@
#define PXEBC_ADDR_START_DELIMITER '['
#define PXEBC_ADDR_END_DELIMITER ']'
//
// A DUID consists of a 2-octet type code represented in network byte
// order, followed by a variable number of octets that make up the
// actual identifier. The length of the DUID (not including the type
// code) is at least 1 octet and at most 128 octets.
//
#define PXEBC_MIN_SIZE_OF_DUID (sizeof(UINT16) + 1)
#define PXEBC_MAX_SIZE_OF_DUID (sizeof(UINT16) + 128)
//
// This define represents the combineds code and length field from
// https://datatracker.ietf.org/doc/html/rfc3315#section-22.1
//
#define PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN \
(sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode) + \
sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
#define GET_NEXT_DHCP6_OPTION(Opt) \
(EFI_DHCP6_PACKET_OPTION *) ((UINT8 *) (Opt) + \
sizeof (EFI_DHCP6_PACKET_OPTION) + (NTOHS ((Opt)->OpLen)) - 1)