diff options
author | Doug Flick via groups.io <dougflick=microsoft.com@groups.io> | 2024-01-26 05:54:43 +0800 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-02-06 19:24:26 +0000 |
commit | f31453e8d6542461d92d835e0b79fec8b039174d (patch) | |
tree | d9f9961cf78eec4f9eb98200d9da186df926b89b /NetworkPkg/Ip4Dxe/Ip4Impl.c | |
parent | 959f71c801b447186413532166d3fb2ad9a590da (diff) | |
download | edk2-f31453e8d6542461d92d835e0b79fec8b039174d.tar.gz edk2-f31453e8d6542461d92d835e0b79fec8b039174d.tar.bz2 edk2-f31453e8d6542461d92d835e0b79fec8b039174d.zip |
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535
Bug Details:
PixieFail Bug #2
CVE-2023-45230
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CWE-119 Improper Restriction of Operations within the Bounds
of a Memory Buffer
Changes Overview:
> -UINT8 *
> +EFI_STATUS
> Dhcp6AppendOption (
> - IN OUT UINT8 *Buf,
> - IN UINT16 OptType,
> - IN UINT16 OptLen,
> - IN UINT8 *Data
> + IN OUT EFI_DHCP6_PACKET *Packet,
> + IN OUT UINT8 **PacketCursor,
> + IN UINT16 OptType,
> + IN UINT16 OptLen,
> + IN UINT8 *Data
> );
Dhcp6AppendOption() and variants can return errors now. All callsites
are adapted accordingly.
It gets passed in EFI_DHCP6_PACKET as additional parameter ...
> + //
> + // Verify the PacketCursor is within the packet
> + //
> + if ( (*PacketCursor < Packet->Dhcp6.Option)
> + || (*PacketCursor >= Packet->Dhcp6.Option +
(Packet->Size - sizeof (EFI_DHCP6_HEADER))))
> + {
> + return EFI_INVALID_PARAMETER;
> + }
... so it can look at Packet->Size when checking buffer space.
Also to allow Packet->Length updates.
Lots of checks added.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Diffstat (limited to 'NetworkPkg/Ip4Dxe/Ip4Impl.c')
0 files changed, 0 insertions, 0 deletions