From nobody Mon May 6 02:26:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54562+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54562+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1581975197195210.17316867641466; Mon, 17 Feb 2020 13:33:17 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 7wDuYY1788612xKgQoJZsG02; Mon, 17 Feb 2020 13:33:16 -0800 X-Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web09.15942.1581975195118648635 for ; Mon, 17 Feb 2020 13:33:15 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 13:33:14 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,454,1574150400"; d="scan'208";a="435658159" X-Received: from jiaxinwu-mobl.ccr.corp.intel.com ([10.255.31.28]) by fmsmga006.fm.intel.com with ESMTP; 17 Feb 2020 13:33:12 -0800 From: "Wu, Jiaxin" To: devel@edk2.groups.io Cc: Fu Siyuan , Maciej Rabeda , Wu Jiaxin Subject: [edk2-devel] [PATCH v2] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). Date: Tue, 18 Feb 2020 05:33:09 +0800 Message-Id: <20200217213309.13104-1-Jiaxin.wu@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiaxin.wu@intel.com X-Gm-Message-State: JzybbIGuyJpz4XJwP104pEAtx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1581975196; bh=SmtVWZcGSy/NWM6FVpJi5eA57WW5lEpMX66dxlm5pgY=; h=Cc:Date:From:Reply-To:Subject:To; b=hafbs8sKCdIyvHeGlBCV/+7RI7DEcfWAJHenJ/fqLUCxtMJALRN6Ht7+9p6Dd8Dxpp8 FZDfiC3mgFifcLrU/uPzDz5PFNV90IZmUhobYR5HZbrM6c1Ft52hSmn4LeKS/r1p/1xVY TqhVP5yZfvaaxZbvi/wG890PVeQS9bL6vUs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" V2: correct the commit message & add BZ number. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1610 This patch is to check the received package length to make sure the package has a valid length field. Cc: Fu Siyuan Cc: Maciej Rabeda Signed-off-by: Wu Jiaxin --- NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++-----= ---- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c index fec242c71f..95fbd01d05 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Input.c +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c @@ -1,9 +1,9 @@ /** @file IP4 input process. =20 -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -709,14 +709,10 @@ Ip4PreProcessPacket ( UINT16 Checksum; =20 // // Check if the IP4 header is correctly formatted. // - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { - return EFI_INVALID_PARAMETER; - } - HeadLen =3D (Head->HeadLen << 2); TotalLen =3D NTOHS (Head->TotalLen); =20 // // Mnp may deliver frame trailer sequence up, trim it off. @@ -806,10 +802,34 @@ Ip4PreProcessPacket ( } =20 return EFI_SUCCESS; } =20 +/** + This function checks the IPv4 packet length. + + @param[in] Packet Pointer to the IPv4 Packet to be checke= d. + + @retval TRUE The input IPv4 packet length is valid. + @retval FALSE The input IPv4 packet length is invalid. + +**/ +BOOLEAN +Ip4IsValidPacketLength ( + IN NET_BUF *Packet + ) +{ + // + // Check the IP4 packet length. + // + if (Packet->TotalSize < IP4_MIN_HEADLEN) { + return FALSE; + } + + return TRUE; +} + /** The IP4 input routine. It is called by the IP4_INTERFACE when a IP4 fragment is received from MNP. =20 @param[in] Ip4Instance The IP4 child that request the receive, m= ost like @@ -842,10 +862,14 @@ Ip4AccpetFrame ( =20 if (EFI_ERROR (IoStatus) || (IpSb->State =3D=3D IP4_SERVICE_DESTROY)) { goto DROP; } =20 + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head !=3D NULL); OptionLen =3D (Head->HeadLen << 2) - IP4_MIN_HEADLEN; if (OptionLen > 0) { Option =3D (UINT8 *) (Head + 1); @@ -888,14 +912,18 @@ Ip4AccpetFrame ( // // If the packet is protected by tunnel mode, parse the inner Ip Packet. // ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); if (0 =3D=3D CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { - // Packet may have been changed. Head, HeadLen, TotalLen, and - // info must be reloaded before use. The ownership of the packet - // is transferred to the packet process logic. - // + // Packet may have been changed. Head, HeadLen, TotalLen, and + // info must be reloaded before use. The ownership of the packet + // is transferred to the packet process logic. + // + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + =20 Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head !=3D NULL); Status =3D Ip4PreProcessPacket ( IpSb, &Packet, --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54562): https://edk2.groups.io/g/devel/message/54562 Mute This Topic: https://groups.io/mt/71359594/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-