NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-)
v3: correct the coding style.
v2: correct the commit message & add BZ number.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
This patch is to check the received package length to make sure the package
has a valid length field.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++---------
1 file changed, 37 insertions(+), 9 deletions(-)
diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
index fec242c71f..868f04812c 100644
--- a/NetworkPkg/Ip4Dxe/Ip4Input.c
+++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
@@ -1,9 +1,9 @@
/** @file
IP4 input process.
-Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -709,14 +709,10 @@ Ip4PreProcessPacket (
UINT16 Checksum;
//
// Check if the IP4 header is correctly formatted.
//
- if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
- return EFI_INVALID_PARAMETER;
- }
-
HeadLen = (Head->HeadLen << 2);
TotalLen = NTOHS (Head->TotalLen);
//
// Mnp may deliver frame trailer sequence up, trim it off.
@@ -806,10 +802,34 @@ Ip4PreProcessPacket (
}
return EFI_SUCCESS;
}
+/**
+ This function checks the IPv4 packet length.
+
+ @param[in] Packet Pointer to the IPv4 Packet to be checked.
+
+ @retval TRUE The input IPv4 packet length is valid.
+ @retval FALSE The input IPv4 packet length is invalid.
+
+**/
+BOOLEAN
+Ip4IsValidPacketLength (
+ IN NET_BUF *Packet
+ )
+{
+ //
+ // Check the IP4 packet length.
+ //
+ if (Packet->TotalSize < IP4_MIN_HEADLEN) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/**
The IP4 input routine. It is called by the IP4_INTERFACE when a
IP4 fragment is received from MNP.
@param[in] Ip4Instance The IP4 child that request the receive, most like
@@ -842,10 +862,14 @@ Ip4AccpetFrame (
if (EFI_ERROR (IoStatus) || (IpSb->State == IP4_SERVICE_DESTROY)) {
goto DROP;
}
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
if (OptionLen > 0) {
Option = (UINT8 *) (Head + 1);
@@ -888,14 +912,18 @@ Ip4AccpetFrame (
//
// If the packet is protected by tunnel mode, parse the inner Ip Packet.
//
ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
- // Packet may have been changed. Head, HeadLen, TotalLen, and
- // info must be reloaded before use. The ownership of the packet
- // is transferred to the packet process logic.
- //
+ // Packet may have been changed. Head, HeadLen, TotalLen, and
+ // info must be reloaded before use. The ownership of the packet
+ // is transferred to the packet process logic.
+ //
+ if (!Ip4IsValidPacketLength (Packet)) {
+ goto RESTART;
+ }
+
Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Head != NULL);
Status = Ip4PreProcessPacket (
IpSb,
&Packet,
--
2.16.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54569): https://edk2.groups.io/g/devel/message/54569
Mute This Topic: https://groups.io/mt/71366594/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu,
> Jiaxin
> Sent: 2020年2月18日 13:52
> To: devel@edk2.groups.io
> Cc: Fu, Siyuan <siyuan.fu@intel.com>; Maciej Rabeda
> <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received
> package length (CVE-2019-14559).
>
> v3: correct the coding style.
> v2: correct the commit message & add BZ number.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
>
> This patch is to check the received package length to make sure the package
> has a valid length field.
>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
> NetworkPkg/Ip4Dxe/Ip4Input.c | 46
> +++++++++++++++++++++++++++++++++++---------
> 1 file changed, 37 insertions(+), 9 deletions(-)
>
> diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
> index fec242c71f..868f04812c 100644
> --- a/NetworkPkg/Ip4Dxe/Ip4Input.c
> +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
> @@ -1,9 +1,9 @@
> /** @file
> IP4 input process.
>
> -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -709,14 +709,10 @@ Ip4PreProcessPacket (
> UINT16 Checksum;
>
> //
> // Check if the IP4 header is correctly formatted.
> //
> - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> HeadLen = (Head->HeadLen << 2);
> TotalLen = NTOHS (Head->TotalLen);
>
> //
> // Mnp may deliver frame trailer sequence up, trim it off.
> @@ -806,10 +802,34 @@ Ip4PreProcessPacket (
> }
>
> return EFI_SUCCESS;
> }
>
> +/**
> + This function checks the IPv4 packet length.
> +
> + @param[in] Packet Pointer to the IPv4 Packet to be checked.
> +
> + @retval TRUE The input IPv4 packet length is valid.
> + @retval FALSE The input IPv4 packet length is invalid.
> +
> +**/
> +BOOLEAN
> +Ip4IsValidPacketLength (
> + IN NET_BUF *Packet
> + )
> +{
> + //
> + // Check the IP4 packet length.
> + //
> + if (Packet->TotalSize < IP4_MIN_HEADLEN) {
> + return FALSE;
> + }
> +
> + return TRUE;
> +}
> +
> /**
> The IP4 input routine. It is called by the IP4_INTERFACE when a
> IP4 fragment is received from MNP.
>
> @param[in] Ip4Instance The IP4 child that request the receive, most
> like
> @@ -842,10 +862,14 @@ Ip4AccpetFrame (
>
> if (EFI_ERROR (IoStatus) || (IpSb->State == IP4_SERVICE_DESTROY)) {
> goto DROP;
> }
>
> + if (!Ip4IsValidPacketLength (Packet)) {
> + goto RESTART;
> + }
> +
> Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
> ASSERT (Head != NULL);
> OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
> if (OptionLen > 0) {
> Option = (UINT8 *) (Head + 1);
> @@ -888,14 +912,18 @@ Ip4AccpetFrame (
> //
> // If the packet is protected by tunnel mode, parse the inner Ip Packet.
> //
> ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
> if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
> - // Packet may have been changed. Head, HeadLen, TotalLen, and
> - // info must be reloaded before use. The ownership of the packet
> - // is transferred to the packet process logic.
> - //
> + // Packet may have been changed. Head, HeadLen, TotalLen, and
> + // info must be reloaded before use. The ownership of the packet
> + // is transferred to the packet process logic.
> + //
> + if (!Ip4IsValidPacketLength (Packet)) {
> + goto RESTART;
> + }
> +
> Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
> ASSERT (Head != NULL);
> Status = Ip4PreProcessPacket (
> IpSb,
> &Packet,
> --
> 2.16.2.windows.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54600): https://edk2.groups.io/g/devel/message/54600
Mute This Topic: https://groups.io/mt/71366594/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Siyuan and Maciej:
Can you help review this patch? I would like to make CVE fix catch this stable tag edk2 202002.
Thanks
Liming
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wu, Jiaxin
> Sent: Tuesday, February 18, 2020 1:52 PM
> To: devel@edk2.groups.io
> Cc: Fu, Siyuan <siyuan.fu@intel.com>; Maciej Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559).
>
> v3: correct the coding style.
> v2: correct the commit message & add BZ number.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610
>
> This patch is to check the received package length to make sure the package
> has a valid length field.
>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
> NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++---------
> 1 file changed, 37 insertions(+), 9 deletions(-)
>
> diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c
> index fec242c71f..868f04812c 100644
> --- a/NetworkPkg/Ip4Dxe/Ip4Input.c
> +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c
> @@ -1,9 +1,9 @@
> /** @file
> IP4 input process.
>
> -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR>
> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -709,14 +709,10 @@ Ip4PreProcessPacket (
> UINT16 Checksum;
>
> //
> // Check if the IP4 header is correctly formatted.
> //
> - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> HeadLen = (Head->HeadLen << 2);
> TotalLen = NTOHS (Head->TotalLen);
>
> //
> // Mnp may deliver frame trailer sequence up, trim it off.
> @@ -806,10 +802,34 @@ Ip4PreProcessPacket (
> }
>
> return EFI_SUCCESS;
> }
>
> +/**
> + This function checks the IPv4 packet length.
> +
> + @param[in] Packet Pointer to the IPv4 Packet to be checked.
> +
> + @retval TRUE The input IPv4 packet length is valid.
> + @retval FALSE The input IPv4 packet length is invalid.
> +
> +**/
> +BOOLEAN
> +Ip4IsValidPacketLength (
> + IN NET_BUF *Packet
> + )
> +{
> + //
> + // Check the IP4 packet length.
> + //
> + if (Packet->TotalSize < IP4_MIN_HEADLEN) {
> + return FALSE;
> + }
> +
> + return TRUE;
> +}
> +
> /**
> The IP4 input routine. It is called by the IP4_INTERFACE when a
> IP4 fragment is received from MNP.
>
> @param[in] Ip4Instance The IP4 child that request the receive, most like
> @@ -842,10 +862,14 @@ Ip4AccpetFrame (
>
> if (EFI_ERROR (IoStatus) || (IpSb->State == IP4_SERVICE_DESTROY)) {
> goto DROP;
> }
>
> + if (!Ip4IsValidPacketLength (Packet)) {
> + goto RESTART;
> + }
> +
> Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
> ASSERT (Head != NULL);
> OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN;
> if (OptionLen > 0) {
> Option = (UINT8 *) (Head + 1);
> @@ -888,14 +912,18 @@ Ip4AccpetFrame (
> //
> // If the packet is protected by tunnel mode, parse the inner Ip Packet.
> //
> ZeroMem (&ZeroHead, sizeof (IP4_HEAD));
> if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) {
> - // Packet may have been changed. Head, HeadLen, TotalLen, and
> - // info must be reloaded before use. The ownership of the packet
> - // is transferred to the packet process logic.
> - //
> + // Packet may have been changed. Head, HeadLen, TotalLen, and
> + // info must be reloaded before use. The ownership of the packet
> + // is transferred to the packet process logic.
> + //
> + if (!Ip4IsValidPacketLength (Packet)) {
> + goto RESTART;
> + }
> +
> Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL);
> ASSERT (Head != NULL);
> Status = Ip4PreProcessPacket (
> IpSb,
> &Packet,
> --
> 2.16.2.windows.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#54599): https://edk2.groups.io/g/devel/message/54599
Mute This Topic: https://groups.io/mt/71366594/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.