diff options
| author | Doug Flick <dougflick@microsoft.com> | 2024-01-26 05:54:48 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-02-06 19:24:26 +0000 |
| commit | bbfee34f4188ac00371abe1389ae9c9fb989a0cd (patch) | |
| tree | c1566475cc1910310278edeffeafec4617cbed60 /NetworkPkg | |
| parent | 07362769ab7a7d74dbea1c7a7a3662c7b5d1f097 (diff) | |
| download | edk2-bbfee34f4188ac00371abe1389ae9c9fb989a0cd.tar.gz edk2-bbfee34f4188ac00371abe1389ae9c9fb989a0cd.tar.bz2 edk2-bbfee34f4188ac00371abe1389ae9c9fb989a0cd.zip | |
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read
Out-of-bounds read when handling a ND Redirect message with truncated
options
Change Overview:
Adds a check to prevent truncated options from being parsed
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type
field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Diffstat (limited to 'NetworkPkg')
| -rw-r--r-- | NetworkPkg/Ip6Dxe/Ip6Option.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 199eea124d..8718d5d875 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -137,6 +137,14 @@ Ip6IsNDOptionValid ( return FALSE;
}
+ //
+ // Cannot process truncated options.
+ // Cannot process options with a length of 0 as there is no Type field.
+ //
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+ return FALSE;
+ }
+
Offset = 0;
//
|