diff options
| author | Fu Siyuan <siyuan.fu@intel.com> | 2016-03-28 11:01:03 +0800 |
|---|---|---|
| committer | Fu Siyuan <siyuan.fu@intel.com> | 2016-04-01 13:30:23 +0800 |
| commit | 37b680116dcd4a3517cb87794c33fc84beea8dd2 (patch) | |
| tree | 72595ee118afd97ef259b1a5eb5a54e5d3850188 /NetworkPkg | |
| parent | 1b31acb66c026f2791c959a4ec9b55c04d583c22 (diff) | |
| download | edk2-37b680116dcd4a3517cb87794c33fc84beea8dd2.tar.gz edk2-37b680116dcd4a3517cb87794c33fc84beea8dd2.tar.bz2 edk2-37b680116dcd4a3517cb87794c33fc84beea8dd2.zip | |
NetworkPkg: Check received packet size before use it.
Arbitrary length of packet may be received from network, including the
packets with zero payload data or malformed protocol header. So the code
much check the actually received data size before using it. For example, in
current edk2 network stack, an zero payload UDP packet may cause the
platform ASSERT in NetbufFromExt() because of the zero fragment number.
This patch update the IpIoLib and UdpIoLib to check and discard the zero
payload data packet to avoid above assert. Some other network drivers are
also updated to check the packet size to guarantee the minimum length of
protocol header is received from upper layer driver.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Diffstat (limited to 'NetworkPkg')
| -rw-r--r-- | NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 6 | ||||
| -rw-r--r-- | NetworkPkg/DnsDxe/DnsImpl.c | 18 | ||||
| -rw-r--r-- | NetworkPkg/TcpDxe/TcpInput.c | 13 | ||||
| -rw-r--r-- | NetworkPkg/Udp6Dxe/Udp6Impl.c | 13 |
4 files changed, 40 insertions, 10 deletions
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index b4e0007926..d25b9734d8 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -2,7 +2,7 @@ Dhcp6 internal functions implementation.
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -2827,6 +2827,10 @@ Dhcp6ReceivePacket ( return ;
}
+ if (Udp6Wrap->TotalSize < sizeof (EFI_DHCP6_HEADER)) {
+ goto ON_CONTINUE;
+ }
+
//
// Copy the net buffer received from upd6 to a Dhcp6 packet.
//
diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c index 19184415e5..4f10e17cf3 100644 --- a/NetworkPkg/DnsDxe/DnsImpl.c +++ b/NetworkPkg/DnsDxe/DnsImpl.c @@ -1615,6 +1615,10 @@ DnsOnPacketReceived ( }
ASSERT (Packet != NULL);
+
+ if (Packet->TotalSize <= sizeof (DNS_HEADER)) {
+ goto ON_EXIT;
+ }
RcvString = NetbufGetByte (Packet, 0, NULL);
ASSERT (RcvString != NULL);
@@ -1624,15 +1628,15 @@ DnsOnPacketReceived ( //
ParseDnsResponse (Instance, RcvString, &Completed);
- ON_EXIT:
+ON_EXIT:
- if (Packet != NULL) {
- NetbufFree (Packet);
- }
+ if (Packet != NULL) {
+ NetbufFree (Packet);
+ }
- if (!Completed) {
- UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);
- }
+ if (!Completed) {
+ UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);
+ }
}
/**
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c index d0118f1d88..745ee4cc6e 100644 --- a/NetworkPkg/TcpDxe/TcpInput.c +++ b/NetworkPkg/TcpDxe/TcpInput.c @@ -1,7 +1,7 @@ /** @file
TCP input process routines.
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -748,11 +748,18 @@ TcpInput ( Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
+
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+ goto DISCARD;
+ }
+
Len = Nbuf->TotalSize - (Head->HeadLen << 2);
if ((Head->HeadLen < 5) || (Len < 0)) {
DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+
goto DISCARD;
}
@@ -1560,6 +1567,10 @@ TcpIcmpInput ( BOOLEAN IcmpErrIsHard;
BOOLEAN IcmpErrNotify;
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ goto CLEAN_EXIT;
+ }
+
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
diff --git a/NetworkPkg/Udp6Dxe/Udp6Impl.c b/NetworkPkg/Udp6Dxe/Udp6Impl.c index 40e3aff069..7ed50411c6 100644 --- a/NetworkPkg/Udp6Dxe/Udp6Impl.c +++ b/NetworkPkg/Udp6Dxe/Udp6Impl.c @@ -1,7 +1,7 @@ /** @file
Udp6 driver's whole implementation.
- Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -1598,6 +1598,11 @@ Udp6Demultiplex ( EFI_UDP6_SESSION_DATA *Udp6Session;
UINTN Enqueued;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
//
// Get the datagram header from the packet buffer.
//
@@ -1619,6 +1624,7 @@ Udp6Demultiplex ( //
// Wrong checksum.
//
+ NetbufFree (Packet);
return;
}
}
@@ -1834,6 +1840,11 @@ Udp6IcmpHandler ( LIST_ENTRY *Entry;
UDP6_INSTANCE_DATA *Instance;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
Udp6Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Udp6Header != NULL);
|