From nobody Fri Nov 1 03:42:08 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 15227671360851006.403188904766; Tue, 3 Apr 2018 07:52:16 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id D58A521FB7D42; Tue, 3 Apr 2018 07:52:02 -0700 (PDT) Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9AC5121FB7D2D for ; Tue, 3 Apr 2018 07:52:01 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DF0C0EB6FF; Tue, 3 Apr 2018 14:52:00 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id D08782026E0E; Tue, 3 Apr 2018 14:51:59 +0000 (UTC) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org From: Laszlo Ersek To: edk2-devel-01 Date: Tue, 3 Apr 2018 16:51:39 +0200 Message-Id: <20180403145149.8925-4-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 03 Apr 2018 14:52:00 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 03 Apr 2018 14:52:00 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [edk2] [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Siyuan Fu , Jiaxin Wu MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" TlsSetSessionData() shouldn't just ignore an incomplete EFI_TLS_CIPHER element at the end of "Data": - Generally speaking, malformed input for a security API is best rejected explicitly. - Specifically speaking, the size of EFI_TLS_CIPHER is 2 bytes. If DataSize is 1 on input, then the initial check for (DataSize =3D=3D 0) wi= ll fail, but then TlsSetCipherList() will be called with CipherNum=3D0. Return EFI_INVALID_PARAMETER from TlsSetSessionData() if "Data" doesn't contain a whole number of EFI_TLS_CIPHER elements. While at it, introduce the dedicated variable CipherCount. Cc: Jiaxin Wu Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Fu Siyuan --- NetworkPkg/TlsDxe/TlsProtocol.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/NetworkPkg/TlsDxe/TlsProtocol.c b/NetworkPkg/TlsDxe/TlsProtoco= l.c index ad4c922c60bd..a5f95a098345 100644 --- a/NetworkPkg/TlsDxe/TlsProtocol.c +++ b/NetworkPkg/TlsDxe/TlsProtocol.c @@ -35,12 +35,13 @@ EFI_TLS_PROTOCOL mTlsProtocol =3D { =20 @retval EFI_SUCCESS The TLS session data is set successfully. @retval EFI_INVALID_PARAMETER One or more of the following conditions = is TRUE: This is NULL. Data is NULL. DataSize is 0. + DataSize is invalid for DataType. @retval EFI_UNSUPPORTED The DataType is unsupported. @retval EFI_ACCESS_DENIED If the DataType is one of below: EfiTlsClientRandom EfiTlsServerRandom EfiTlsKeyMaterial @retval EFI_NOT_READY Current TLS session state is NOT @@ -56,12 +57,13 @@ TlsSetSessionData ( IN UINTN DataSize ) { EFI_STATUS Status; TLS_INSTANCE *Instance; UINT16 *CipherId; + UINTN CipherCount; UINTN Index; =20 EFI_TPL OldTpl; =20 Status =3D EFI_SUCCESS; CipherId =3D NULL; @@ -97,23 +99,29 @@ TlsSetSessionData ( goto ON_EXIT; } =20 Status =3D TlsSetConnectionEnd (Instance->TlsConn, *((EFI_TLS_CONNECTI= ON_END *) Data)); break; case EfiTlsCipherList: + if (DataSize % sizeof (EFI_TLS_CIPHER) !=3D 0) { + Status =3D EFI_INVALID_PARAMETER; + goto ON_EXIT; + } + CipherId =3D AllocatePool (DataSize); if (CipherId =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; goto ON_EXIT; } =20 - for (Index =3D 0; Index < DataSize / sizeof (EFI_TLS_CIPHER); Index++)= { + CipherCount =3D DataSize / sizeof (EFI_TLS_CIPHER); + for (Index =3D 0; Index < CipherCount; Index++) { *(CipherId +Index) =3D HTONS (*(((UINT16 *) Data) + Index)); } =20 - Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, DataSize / s= izeof (EFI_TLS_CIPHER)); + Status =3D TlsSetCipherList (Instance->TlsConn, CipherId, CipherCount); =20 FreePool (CipherId); break; case EfiTlsCompressionMethod: // // TLS seems only define one CompressionMethod.null, which specifies t= hat data exchanged via the --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel