diff options
| author | Fu Siyuan <siyuan.fu@intel.com> | 2016-11-16 13:37:15 +0800 |
|---|---|---|
| committer | Fu Siyuan <siyuan.fu@intel.com> | 2016-11-18 16:30:50 +0800 |
| commit | 632dcfd6857b6211ce3fe9755d3c11e74ef5d447 (patch) | |
| tree | 03c5766d7efa36d127b45d5c716561115ee62dd6 /NetworkPkg/HttpBootDxe | |
| parent | 4f6b33b460226bc1a54d8af2c0f4fe195f2f04ce (diff) | |
| download | edk2-632dcfd6857b6211ce3fe9755d3c11e74ef5d447.tar.gz edk2-632dcfd6857b6211ce3fe9755d3c11e74ef5d447.tar.bz2 edk2-632dcfd6857b6211ce3fe9755d3c11e74ef5d447.zip | |
NetworkPkg: Check for the max DHCP packet length before use it.
This patch updates the PXE and HTTP boot driver to drop the input DHCP packet
if it exceed the maximum length.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
Diffstat (limited to 'NetworkPkg/HttpBootDxe')
| -rw-r--r-- | NetworkPkg/HttpBootDxe/HttpBootDhcp4.h | 4 | ||||
| -rw-r--r-- | NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 6 | ||||
| -rw-r--r-- | NetworkPkg/HttpBootDxe/HttpBootDhcp6.h | 4 | ||||
| -rw-r--r-- | NetworkPkg/HttpBootDxe/HttpBootImpl.c | 4 |
4 files changed, 14 insertions, 4 deletions
diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp4.h b/NetworkPkg/HttpBootDxe/HttpBootDhcp4.h index 27d949850a..0b2cafbf50 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootDhcp4.h +++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp4.h @@ -178,10 +178,12 @@ typedef struct { UINT32 Reserved;
} HTTP_BOOT_VENDOR_OPTION;
+#define HTTP_CACHED_DHCP4_PACKET_MAX_SIZE (OFFSET_OF (EFI_DHCP4_PACKET, Dhcp4) + HTTP_BOOT_DHCP4_PACKET_MAX_SIZE)
+
typedef union {
EFI_DHCP4_PACKET Offer;
EFI_DHCP4_PACKET Ack;
- UINT8 Buffer[HTTP_BOOT_DHCP4_PACKET_MAX_SIZE];
+ UINT8 Buffer[HTTP_CACHED_DHCP4_PACKET_MAX_SIZE];
} HTTP_BOOT_DHCP4_PACKET;
typedef struct {
diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c index 847864203c..ca84f2ad9b 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c +++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c @@ -427,6 +427,12 @@ HttpBootDhcp6CallBack ( case Dhcp6RcvdAdvertise:
Status = EFI_NOT_READY;
+ if (Packet->Length > HTTP_BOOT_DHCP6_PACKET_MAX_SIZE) {
+ //
+ // Ignore the incoming packets which exceed the maximum length.
+ //
+ break;
+ }
if (Private->OfferNum < HTTP_BOOT_OFFER_MAX_NUM) {
//
// Cache the dhcp offers to OfferBuffer[] for select later, and record
diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.h b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.h index 14d6db0648..9f2989831e 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.h +++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.h @@ -75,10 +75,12 @@ typedef union { HTTP_BOOT_DHCP6_OPTION_VENDOR_CLASS *VendorClass;
} HTTP_BOOT_DHCP6_OPTION_ENTRY;
+#define HTTP_CACHED_DHCP6_PACKET_MAX_SIZE (OFFSET_OF (EFI_DHCP6_PACKET, Dhcp6) + HTTP_BOOT_DHCP6_PACKET_MAX_SIZE)
+
typedef union {
EFI_DHCP6_PACKET Offer;
EFI_DHCP6_PACKET Ack;
- UINT8 Buffer[HTTP_BOOT_DHCP6_PACKET_MAX_SIZE];
+ UINT8 Buffer[HTTP_CACHED_DHCP6_PACKET_MAX_SIZE];
} HTTP_BOOT_DHCP6_PACKET;
typedef struct {
diff --git a/NetworkPkg/HttpBootDxe/HttpBootImpl.c b/NetworkPkg/HttpBootDxe/HttpBootImpl.c index babd3e6194..cf6de80a17 100644 --- a/NetworkPkg/HttpBootDxe/HttpBootImpl.c +++ b/NetworkPkg/HttpBootDxe/HttpBootImpl.c @@ -126,11 +126,11 @@ HttpBootStart ( ZeroMem (Private->OfferBuffer, sizeof (Private->OfferBuffer));
if (!Private->UsingIpv6) {
for (Index = 0; Index < HTTP_BOOT_OFFER_MAX_NUM; Index++) {
- Private->OfferBuffer[Index].Dhcp4.Packet.Offer.Size = HTTP_BOOT_DHCP4_PACKET_MAX_SIZE;
+ Private->OfferBuffer[Index].Dhcp4.Packet.Offer.Size = HTTP_CACHED_DHCP4_PACKET_MAX_SIZE;
}
} else {
for (Index = 0; Index < HTTP_BOOT_OFFER_MAX_NUM; Index++) {
- Private->OfferBuffer[Index].Dhcp6.Packet.Offer.Size = HTTP_BOOT_DHCP6_PACKET_MAX_SIZE;
+ Private->OfferBuffer[Index].Dhcp6.Packet.Offer.Size = HTTP_CACHED_DHCP6_PACKET_MAX_SIZE;
}
}
|