summaryrefslogtreecommitdiffstats
path: root/ReadMe.rst
diff options
context:
space:
mode:
authorDoug Flick <dougflick@microsoft.com>2024-01-26 05:54:55 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2024-02-06 19:24:26 +0000
commitfac297724e6cc343430cd0104e55cd7a96d1151e (patch)
treea8c130ed25a77a6c6c7c9a68e978c19a338e816d /ReadMe.rst
parent7f04c7a253621956ba59a121c6e8658256788f40 (diff)
downloadedk2-fac297724e6cc343430cd0104e55cd7a96d1151e.tar.gz
edk2-fac297724e6cc343430cd0104e55cd7a96d1151e.tar.bz2
edk2-fac297724e6cc343430cd0104e55cd7a96d1151e.zip
NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Bug Details: PixieFail Bug #7 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message Change Overview: Performs two checks 1. Checks that the length of the duid is accurate > + // > + // Check that the minimum and maximum requirements are met > + // > + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { > + Status = EFI_INVALID_PARAMETER; > + goto ON_ERROR; > + } 2. Ensures that the amount of data written to the buffer is tracked and never exceeds that > + // > + // Check that the option length is valid. > + // > + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) { > + Status = EFI_OUT_OF_RESOURCES; > + goto ON_ERROR; > + } Additional code clean up and fix for memory leak in case Option was NULL Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Diffstat (limited to 'ReadMe.rst')
0 files changed, 0 insertions, 0 deletions