From nobody Wed May 8 00:32:12 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+54569+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+54569+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1582005149369361.93151276666583; Mon, 17 Feb 2020 21:52:29 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id nD8QYY1788612xkG7sWeZ8yO; Mon, 17 Feb 2020 21:52:29 -0800 X-Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web09.461.1582005147993166472 for ; Mon, 17 Feb 2020 21:52:28 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2020 21:52:27 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,455,1574150400"; d="scan'208";a="239253787" X-Received: from jiaxinwu-mobl.ccr.corp.intel.com ([10.255.31.28]) by orsmga006.jf.intel.com with ESMTP; 17 Feb 2020 21:52:25 -0800 From: "Wu, Jiaxin" To: devel@edk2.groups.io Cc: Fu Siyuan , Maciej Rabeda , Wu Jiaxin Subject: [edk2-devel] [PATCH v3] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). Date: Tue, 18 Feb 2020 13:52:03 +0800 Message-Id: <20200218055203.14732-1-Jiaxin.wu@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiaxin.wu@intel.com X-Gm-Message-State: EmztZzo9BmoiGJtu8xPwFMi2x1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1582005149; bh=CTX1YZKLfp4/K6+F7pg8SJ2fwynOmzZcqPZICg5GCiw=; h=Cc:Date:From:Reply-To:Subject:To; b=JAidXSsFCxohl/hv2eG8j06kSIZ9JCxsZUL3klwXtkB+FyFsmr6cQgV7WtBuW6Olrmj OJlrdGaZFdcSH6PnlyERhu9MQZbS5QcCXsJpSB/oedtX7JbBsq29n+BhTm2yvZEKWPoh2 GdXn9BoZnQ+mJ9YU4z4ALpfTNUpDrWhZcpQ= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" v3: correct the coding style. v2: correct the commit message & add BZ number. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1610 This patch is to check the received package length to make sure the package has a valid length field. Cc: Fu Siyuan Cc: Maciej Rabeda Signed-off-by: Wu Jiaxin Reviewed-by: Siyuan Fu --- NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++++++++-----= ---- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c index fec242c71f..868f04812c 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Input.c +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c @@ -1,9 +1,9 @@ /** @file IP4 input process. =20 -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.
=20 SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -709,14 +709,10 @@ Ip4PreProcessPacket ( UINT16 Checksum; =20 // // Check if the IP4 header is correctly formatted. // - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { - return EFI_INVALID_PARAMETER; - } - HeadLen =3D (Head->HeadLen << 2); TotalLen =3D NTOHS (Head->TotalLen); =20 // // Mnp may deliver frame trailer sequence up, trim it off. @@ -806,10 +802,34 @@ Ip4PreProcessPacket ( } =20 return EFI_SUCCESS; } =20 +/** + This function checks the IPv4 packet length. + + @param[in] Packet Pointer to the IPv4 Packet to be checke= d. + + @retval TRUE The input IPv4 packet length is valid. + @retval FALSE The input IPv4 packet length is invalid. + +**/ +BOOLEAN +Ip4IsValidPacketLength ( + IN NET_BUF *Packet + ) +{ + // + // Check the IP4 packet length. + // + if (Packet->TotalSize < IP4_MIN_HEADLEN) { + return FALSE; + } + + return TRUE; +} + /** The IP4 input routine. It is called by the IP4_INTERFACE when a IP4 fragment is received from MNP. =20 @param[in] Ip4Instance The IP4 child that request the receive, m= ost like @@ -842,10 +862,14 @@ Ip4AccpetFrame ( =20 if (EFI_ERROR (IoStatus) || (IpSb->State =3D=3D IP4_SERVICE_DESTROY)) { goto DROP; } =20 + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head !=3D NULL); OptionLen =3D (Head->HeadLen << 2) - IP4_MIN_HEADLEN; if (OptionLen > 0) { Option =3D (UINT8 *) (Head + 1); @@ -888,14 +912,18 @@ Ip4AccpetFrame ( // // If the packet is protected by tunnel mode, parse the inner Ip Packet. // ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); if (0 =3D=3D CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { - // Packet may have been changed. Head, HeadLen, TotalLen, and - // info must be reloaded before use. The ownership of the packet - // is transferred to the packet process logic. - // + // Packet may have been changed. Head, HeadLen, TotalLen, and + // info must be reloaded before use. The ownership of the packet + // is transferred to the packet process logic. + // + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head =3D (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head !=3D NULL); Status =3D Ip4PreProcessPacket ( IpSb, &Packet, --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54569): https://edk2.groups.io/g/devel/message/54569 Mute This Topic: https://groups.io/mt/71366594/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-