diff options
| author | Jiaxin Wu <Jiaxin.wu@intel.com> | 2019-04-29 09:51:53 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-02-19 10:13:42 +0000 |
| commit | 578bcdc2605e3438b9cbdac4e68339f90f5bf8af (patch) | |
| tree | 8d6f8541f9fbbd20a9d7046322ce3f1b2a049887 /NetworkPkg | |
| parent | 6d8f4bafadb52a4a674de1a2eb463f84154d066d (diff) | |
| download | edk2-578bcdc2605e3438b9cbdac4e68339f90f5bf8af.tar.gz edk2-578bcdc2605e3438b9cbdac4e68339f90f5bf8af.tar.bz2 edk2-578bcdc2605e3438b9cbdac4e68339f90f5bf8af.zip | |
NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
v3: correct the coding style.
v2: correct the commit message & add BZ number.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
This patch is to check the received package length to make sure the package
has a valid length field.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Diffstat (limited to 'NetworkPkg')
| -rw-r--r-- | NetworkPkg/Ip4Dxe/Ip4Input.c | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c index fec242c71f..868f04812c 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Input.c +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file
IP4 input process.
-Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -711,10 +711,6 @@ Ip4PreProcessPacket ( //
// Check if the IP4 header is correctly formatted.
//
- if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
- return EFI_INVALID_PARAMETER;
- }
-
HeadLen = (Head->HeadLen << 2);
TotalLen = NTOHS (Head->TotalLen);
@@ -809,6 +805,30 @@ Ip4PreProcessPacket ( }
/**
+ This function checks the IPv4 packet length.
+
+ @param[in] Packet Pointer to the IPv4 Packet to be checked.
+
+ @retval TRUE The input IPv4 packet length is valid.
+ @retval FALSE The input IPv4 packet length is invalid.
+
+**/
+BOOLEAN
+Ip4IsValidPacketLength (
+ IN NET_BUF *Packet
+ )
+{
+ //
+ // Check the IP4 packet length.
+ //
+ if (Packet->TotalSize < IP4_MIN_HEADLEN) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/**
The IP4 input routine. It is called by the IP4_INTERFACE when a
IP4 fragment is received from MNP.
@@ -844,6 +864,10 @@ Ip4AccpetFrame ( goto DROP;
}
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
@@ -890,10 +914,14 @@ Ip4AccpetFrame ( //
ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
- // Packet may have been changed. Head, HeadLen, TotalLen, and
- // info must be reloaded before use. The ownership of the packet
- // is transferred to the packet process logic.
- //
+ // Packet may have been changed. Head, HeadLen, TotalLen, and
+ // info must be reloaded before use. The ownership of the packet
+ // is transferred to the packet process logic.
+ //
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
Status = Ip4PreProcessPacket (
|