summaryrefslogtreecommitdiffstats
path: root/NetworkPkg/Ip4Dxe/Ip4Impl.c
diff options
context:
space:
mode:
authorDoug Flick via groups.io <dougflick=microsoft.com@groups.io>2024-01-26 05:54:43 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2024-02-06 19:24:26 +0000
commitf31453e8d6542461d92d835e0b79fec8b039174d (patch)
treed9f9961cf78eec4f9eb98200d9da186df926b89b /NetworkPkg/Ip4Dxe/Ip4Impl.c
parent959f71c801b447186413532166d3fb2ad9a590da (diff)
downloadedk2-f31453e8d6542461d92d835e0b79fec8b039174d.tar.gz
edk2-f31453e8d6542461d92d835e0b79fec8b039174d.tar.bz2
edk2-f31453e8d6542461d92d835e0b79fec8b039174d.zip
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Bug Details: PixieFail Bug #2 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Changes Overview: > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet > + // > + if ( (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Diffstat (limited to 'NetworkPkg/Ip4Dxe/Ip4Impl.c')
0 files changed, 0 insertions, 0 deletions