From 9cc6e36325f921f2caa4ba7f0c00a8ab4ae88cf9 Mon Sep 17 00:00:00 2001 From: Fu Siyuan Date: Wed, 16 Nov 2016 13:36:37 +0800 Subject: MdeModulePkg: Check for the max DHCP packet length before use it. This patch updates the PXE driver to drop the input DHCP packet if it exceed the maximum length. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu Siyuan Reviewed-By: Wu Jiaxin (cherry picked from commit 4f6b33b460226bc1a54d8af2c0f4fe195f2f04ce) --- .../Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c | 23 ++++++++++++++++++++++ .../Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index 6c06373004..156154c698 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -908,6 +908,14 @@ PxeBcDhcpCallBack ( case Dhcp4SendDiscover: case Dhcp4SendRequest: + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // If the to be sent packet exceeds the maximum length, abort the DHCP process. + // + Status = EFI_ABORTED; + break; + } + if (Mode->SendGUID) { // // send the system GUID instead of the MAC address as the hardware address @@ -938,6 +946,13 @@ PxeBcDhcpCallBack ( case Dhcp4RcvdOffer: Status = EFI_NOT_READY; + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // Ignore the incoming Offers which exceed the maximum length. + // + break; + } + if (Private->NumOffers < PXEBC_MAX_OFFER_NUM) { // // Cache the dhcp offers in Private->Dhcp4Offers[] @@ -963,6 +978,14 @@ PxeBcDhcpCallBack ( break; case Dhcp4RcvdAck: + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // Abort the DHCP if the ACK packet exceeds the maximum length. + // + Status = EFI_ABORTED; + break; + } + // // Cache Ack // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h index 1626060ee2..bdf137fe80 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h @@ -18,7 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define PXEBC_DHCP4_MAX_OPTION_NUM 16 #define PXEBC_DHCP4_MAX_OPTION_SIZE 312 -#define PXEBC_DHCP4_MAX_PACKET_SIZE 1472 +#define PXEBC_DHCP4_MAX_PACKET_SIZE (sizeof (EFI_PXE_BASE_CODE_PACKET)) #define PXEBC_DHCP4_S_PORT 67 #define PXEBC_DHCP4_C_PORT 68 -- cgit v1.2.3