From nobody Mon Sep 16 19:45:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+114253+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114253+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1706073629; cv=none; d=zohomail.com; s=zohoarc; b=FBCusTA+Mbim2CnCtNKzvnd8SO/JjfBL+H/AWG/h6Ut/RD8yGrp0QCjN/XA6ryX+Xd1iizpu6H2UfBHohW/iqp4+GoBeJL+bXvJems9kfWdg875+F06tX+B4lZdVbYpaYXgB/uhWPQmaxWQuEtedRXQLucCE8Z/GPTp8hWVvxvk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706073629; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id; bh=M9T8NoS3EcOqSw5fWnoqLd0cC1PdCSauHXlfUjsp2mk=; b=e1bdC0JuJHvuFmzXHAPBL8B0MzqfUcn5dFenybZcEoCVv5dmGx6FXV/ih4d+3L3L79JN9Hc17FbmtwzQHch8dE838DvzWTzTE7M5u4o0nSbFA/mhQjC/DhlQ6NzCiIc4A6S373AoYF4UsBJF/RUtZOAB2jRI5/BxoNY7s3uKBqg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+114253+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1706073629499875.8532753176837; Tue, 23 Jan 2024 21:20:29 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=yJi5DlI3FjN7Vc0gnLt6Wo+OGMBVLkeYcxUKXwwOVlI=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1706073629; v=1; b=s46rrpEX0D6UPRpNQL9KH0kSvQegYHTHIrXHWLTJ383fpil52FFuHFoCvxSojxCHL6upYVM0 ofciO/SCGkpb6OPTbJYRlhSJ2zq7xBEN7wKx/cNjU64aVmj6qKyDsfb1wDgP2avkQUC7blw5+D/ 78o5O1FTFCKFiMJzHULwslWI= X-Received: by 127.0.0.2 with SMTP id SOSTYY1788612xSOlhoaB1Du; Tue, 23 Jan 2024 21:20:29 -0800 X-Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.16101.1706073628391534454 for ; Tue, 23 Jan 2024 21:20:28 -0800 X-Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1d711d7a940so44268975ad.1 for ; Tue, 23 Jan 2024 21:20:28 -0800 (PST) X-Gm-Message-State: WjDk0Jk9qTgTguxiqtNp3HaJx1787277AA= X-Google-Smtp-Source: AGHT+IFSUJKsE4y/qOok4OiQ/HvoIm3WofFG6TclgstVPmPTtU/IWjEFeKg+J178hU5cQZBbwyiM9w== X-Received: by 2002:a17:903:264b:b0:1d7:6301:96d7 with SMTP id je11-20020a170903264b00b001d7630196d7mr337972plb.115.1706073627177; Tue, 23 Jan 2024 21:20:27 -0800 (PST) X-Received: from localhost.localdomain ([24.17.138.83]) by smtp.gmail.com with ESMTPSA id w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Jan 2024 21:20:26 -0800 (PST) From: "Doug Flick via groups.io" To: devel@edk2.groups.io Cc: "Douglas Flick [MSFT]" , Saloni Kasbekar , Zachary Clark-williams Subject: [edk2-devel] [PATCH 01/14] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Date: Tue, 23 Jan 2024 19:33:24 -0800 Message-ID: <931c86114b8f62b633f92aeb8573d2559c66c0f0.1706062164.git.doug.edk2@gmail.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1706073630304100001 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D4535 SECURITY PATCH - Patch TCBZ4535 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++ NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 78 +++--- NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++---------- NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++----- 4 files changed, 666 insertions(+), 237 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Imp= l.h index 0eb9c669b5a1..f2422c2f2827 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h @@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') =20 +// +// For more information on DHCP options see RFC 8415, Section 21.1 +// +// The format of DHCP options is: +// +// 0 1 2 3 +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | option-code | option-len | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | option-data | +// | (option-len octets) | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) +#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) + +// +// Combined size of Code and Length +// +#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ + DHCP6_SIZE_OF_OPT_LEN) + +STATIC_ASSERT ( + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN =3D=3D 4, + "Combined size of Code and Length must be 4 per RFC 8415" + ); + +// +// Offset to the length is just past the code +// +#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) +STATIC_ASSERT ( + DHCP6_OPT_LEN_OFFSET (0) =3D=3D 2, + "Offset of length is + 2 past start of option" + ); + +#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) +STATIC_ASSERT ( + DHCP6_OPT_DATA_OFFSET (0) =3D=3D 4, + "Offset to option data should be +4 from start of option" + ); + #define DHCP6_PACKET_ALL 0 #define DHCP6_PACKET_STATEFUL 1 #define DHCP6_PACKET_STATELESS 2 diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h b/NetworkPkg/Dhcp6Dxe/Dhcp6= Utility.h index 046454ff4ac2..06947f6c1fcf 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h @@ -160,69 +160,85 @@ Dhcp6OnTransmitted ( ); =20 /** - Append the appointed option to the buf, and move the buf to the end. + Append the option to Buf, update the length of packet, and move Buf to t= he end. =20 - @param[in, out] Buf The pointer to buffer. - @param[in] OptType The option type. - @param[in] OptLen The length of option content.s - @param[in] Data The pointer to the option content. - - @return Buf The position to append the next option. + @param[in, out] Packet A pointer to the packet, on success Packe= t->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. + @param[in] OptType The option type. + @param[in] OptLen The length of option contents. + @param[in] Data The pointer to the option content. =20 + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendOption ( - IN OUT UINT8 *Buf, - IN UINT16 OptType, - IN UINT16 OptLen, - IN UINT8 *Data + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN UINT16 OptType, + IN UINT16 OptLen, + IN UINT8 *Data ); =20 /** - Append the Ia option to Buf, and move Buf to the end. - - @param[in, out] Buf The pointer to the position to append. + Append the appointed Ia option to Buf, update the Ia option length, and = move Buf + to the end of the option. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. =20 - @return Buf The position to append the next Ia option. - + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaOption ( - IN OUT UINT8 *Buf, - IN EFI_DHCP6_IA *Ia, - IN UINT32 T1, - IN UINT32 T2, - IN UINT32 MessageType + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN EFI_DHCP6_IA *Ia, + IN UINT32 T1, + IN UINT32 T2, + IN UINT32 MessageType ); =20 /** Append the appointed Elapsed time option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in the generated packet. =20 - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendETOption ( - IN OUT UINT8 *Buf, - IN DHCP6_INSTANCE *Instance, - OUT UINT16 **Elapsed + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN DHCP6_INSTANCE *Instance, + OUT UINT16 **Elapsed ); =20 /** Set the elapsed time based on the given instance and the pointer to the elapsed time option. =20 - @param[in] Elapsed The pointer to the position to append. - @param[in] Instance The pointer to the Dhcp6 instance. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. **/ VOID SetElapsedTime ( diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index dcd01e6268b1..bf5aa7a769de 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -3,9 +3,9 @@ =20 (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation =20 SPDX-License-Identifier: BSD-2-Clause-Patent - **/ =20 #include "Dhcp6Impl.h" @@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -944,54 +945,64 @@ Dhcp6SendSolicitMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1020,6 +1029,14 @@ Dhcp6SendSolicitMsg ( Elapsed, Instance->Config->SolicitRetransmission ); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1124,51 +1142,67 @@ Dhcp6SendRequestMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // @@ -1177,8 +1211,7 @@ Dhcp6SendRequestMsg ( Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet); =20 if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg ( Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); =20 if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE; @@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.Heade= r.MessageType); + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, + DecIa, + 0, + 0, + Packet->Dhcp6.Header.MessageType + ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1399,7 +1462,8 @@ Dhcp6SendReleaseMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE; @@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // ServerId is extracted from packet, it's network order. // - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Heade= r.MessageType); + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, + RelIa, + 0, + 0, + Packet->Dhcp6.Header.MessageType + ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - // - // Determine the size/length of packet - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendRelease, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg ( Instance->IaCb.Ia->State =3D Dhcp6Releasing; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1529,7 +1615,8 @@ Dhcp6SendRenewRebindMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1543,26 +1630,38 @@ Dhcp6SendRenewRebindMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 if (!RebindRequest) { // @@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg ( Dhcp6OptServerId ); if (Option =3D=3D NULL) { - FreePool (Packet); - return EFI_DEVICE_ERROR; + Status =3D EFI_DEVICE_ERROR; + goto ON_ERROR; } =20 ServerId =3D (EFI_DHCP6_DUID *)(Option + 2); =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 // @@ -1597,18 +1700,18 @@ Dhcp6SendRenewRebindMsg ( // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // @@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg ( Event =3D (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing; =20 Status =3D Dhcp6CallbackUser (Instance, Event, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1811,7 +1918,8 @@ Dhcp6SendInfoRequestMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1828,44 +1936,56 @@ Dhcp6SendInfoRequestMsg ( =20 if (SendClientId) { Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, OptionRequest->OpCode, OptionRequest->OpLen, OptionRequest->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < OptionCount; Index++) { UserOpt =3D OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // @@ -1877,16 +1997,22 @@ Dhcp6SendInfoRequestMsg ( // Send info-request packet with no state. // Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** @@ -1937,7 +2063,8 @@ Dhcp6SendConfirmMsg ( // Packet =3D AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } =20 Packet->Size =3D DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1951,54 +2078,64 @@ Dhcp6SendConfirmMsg ( Cursor =3D Packet->Dhcp6.Option; =20 Length =3D HTONS (ClientId->Length); - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendETOption ( - Cursor, + Status =3D Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 - Cursor =3D Dhcp6AppendIaOption ( - Cursor, + Status =3D Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } =20 // // Append user-defined when configurate Dhcp6 service. // for (Index =3D 0; Index < Instance->Config->OptionCount; Index++) { UserOpt =3D Instance->Config->OptionList[Index]; - Cursor =3D Dhcp6AppendOption ( - Cursor, + Status =3D Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } =20 - // - // Determine the size/length of packet. - // - Packet->Length +=3D (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); =20 // // Callback to user with the packet to be sent and check the user's feed= back. // Status =3D Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // @@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg ( Instance->StartTime =3D 0; =20 Status =3D Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } =20 // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } =20 /** diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6= Utility.c index e6368b5b1c6c..705c665c519d 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c @@ -577,24 +577,33 @@ Dhcp6OnTransmitted ( } =20 /** - Append the option to Buf, and move Buf to the end. + Append the option to Buf, update the length of packet, and move Buf to t= he end. =20 - @param[in, out] Buf The pointer to the buffer. - @param[in] OptType The option type. - @param[in] OptLen The length of option contents. - @param[in] Data The pointer to the option content. + @param[in, out] Packet A pointer to the packet, on success Packe= t->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pac= ketCursor + will be moved to the end of the option. + @param[in] OptType The option type. + @param[in] OptLen The length of option contents. + @param[in] Data The pointer to the option content. =20 - @return Buf The position to append the next option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendOption ( - IN OUT UINT8 *Buf, - IN UINT16 OptType, - IN UINT16 OptLen, - IN UINT8 *Data + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN UINT16 OptType, + IN UINT16 OptLen, + IN UINT8 *Data ) { + UINT32 Length; + UINT32 BytesNeeded; + // // The format of Dhcp6 option: // @@ -607,35 +616,95 @@ Dhcp6AppendOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // =20 - ASSERT (OptLen !=3D 0); + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } =20 - WriteUnaligned16 ((UINT16 *)Buf, OptType); - Buf +=3D 2; - WriteUnaligned16 ((UINT16 *)Buf, OptLen); - Buf +=3D 2; - CopyMem (Buf, Data, NTOHS (OptLen)); - Buf +=3D NTOHS (OptLen); + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } =20 - return Buf; + if (Data =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if (OptLen =3D=3D 0) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + // + // Calculate the bytes needed for the option + // + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen); + + // + // Space remaining in the packet + // + Length =3D Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; + WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; + CopyMem (*PacketCursor, Data, NTOHS (OptLen)); + *PacketCursor +=3D NTOHS (OptLen); + + // Update the packet length by the length of the option + 4 bytes + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** Append the appointed IA Address option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pack= etCursor + will be moved to the end of the option. @param[in] IaAddr The pointer to the IA Address. @param[in] MessageType Message type of DHCP6 package. =20 - @return Buf The position to append the next option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaAddrOption ( - IN OUT UINT8 *Buf, + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, IN EFI_DHCP6_IA_ADDRESS *IaAddr, IN UINT32 MessageType ) { + UINT32 BytesNeeded; + UINT32 Length; + // The format of the IA Address option is: // // 0 1 2 3 @@ -657,17 +726,60 @@ Dhcp6AppendIaAddrOption ( // . . // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ =20 + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (IaAddr =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + BytesNeeded +=3D sizeof (EFI_IPv6_ADDRESS); + // + // Even if the preferred-lifetime is 0, it still needs to store it. + // + BytesNeeded +=3D sizeof (IaAddr->PreferredLifetime); + // + // Even if the valid-lifetime is 0, it still needs to store it. + // + BytesNeeded +=3D sizeof (IaAddr->ValidLifetime); + + // + // Space remaining in the packet + // + Length =3D Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of Ia Address option type // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; =20 - WriteUnaligned16 ((UINT16 *)Buf, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS))); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_A= DDRESS))); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; =20 - CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); - Buf +=3D sizeof (EFI_IPv6_ADDRESS); + CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); + *PacketCursor +=3D sizeof (EFI_IPv6_ADDRESS); =20 // // Fill the value of preferred-lifetime and valid-lifetime. @@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption ( // should set to 0 when initiate a Confirm message. // if (MessageType !=3D Dhcp6MsgConfirm) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->PreferredLifetime)); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLif= etime)); } =20 - Buf +=3D 4; + *PacketCursor +=3D sizeof (IaAddr->PreferredLifetime); =20 if (MessageType !=3D Dhcp6MsgConfirm) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime)); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetim= e)); } =20 - Buf +=3D 4; + *PacketCursor +=3D sizeof (IaAddr->ValidLifetime); =20 - return Buf; + // + // Update the packet length + // + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** Append the appointed Ia option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success Pack= etCursor + will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. =20 - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaOption ( - IN OUT UINT8 *Buf, - IN EFI_DHCP6_IA *Ia, - IN UINT32 T1, - IN UINT32 T2, - IN UINT32 MessageType + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN EFI_DHCP6_IA *Ia, + IN UINT32 T1, + IN UINT32 T2, + IN UINT32 MessageType ) { - UINT8 *AddrOpt; - UINT16 *Len; - UINTN Index; + UINT8 *AddrOpt; + UINT16 *Len; + UINTN Index; + UINT32 BytesNeeded; + UINT32 Length; + EFI_STATUS Status; =20 // // The format of IA_NA and IA_TA option: @@ -733,32 +859,74 @@ Dhcp6AppendIaOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // =20 + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (Ia =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + BytesNeeded +=3D sizeof (Ia->Descriptor.IaId); + // + // + N for the IA_NA-options/IA_TA-options + // Dhcp6AppendIaAddrOption will need to check the length for each address + // + if (Ia->Descriptor.Type =3D=3D Dhcp6OptIana) { + BytesNeeded +=3D sizeof (T1) + sizeof (T2); + } + + // + // Space remaining in the packet + // + Length =3D (UINT16)(Packet->Size - Packet->Length); + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of Ia option type // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Ia->Descriptor.Type)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; =20 // // Fill the len of Ia option later, keep the pointer first // - Len =3D (UINT16 *)Buf; - Buf +=3D 2; + Len =3D (UINT16 *)*PacketCursor; + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; =20 // // Fill the value of iaid // - WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->Descriptor.IaId)); - Buf +=3D 4; + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId)); + *PacketCursor +=3D sizeof (Ia->Descriptor.IaId); =20 // // Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specifi= ed. // if (Ia->Descriptor.Type =3D=3D Dhcp6OptIana) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 !=3D 0) ? T1 : 0xffffffff)= ); - Buf +=3D 4; - WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 !=3D 0) ? T2 : 0xffffffff)= ); - Buf +=3D 4; + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 !=3D 0) ? T1 : 0= xffffffff)); + *PacketCursor +=3D sizeof (T1); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 !=3D 0) ? T2 : 0= xffffffff)); + *PacketCursor +=3D sizeof (T2); } =20 // @@ -766,35 +934,51 @@ Dhcp6AppendIaOption ( // for (Index =3D 0; Index < Ia->IaAddressCount; Index++) { AddrOpt =3D (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDR= ESS); - Buf =3D Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)Addr= Opt, MessageType); + Status =3D Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_= IA_ADDRESS *)AddrOpt, MessageType); + if (EFI_ERROR (Status)) { + return Status; + } } =20 // // Fill the value of Ia option length // - *Len =3D HTONS ((UINT16)(Buf - (UINT8 *)Len - 2)); + *Len =3D HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); =20 - return Buf; + // + // Update the packet length + // + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** Append the appointed Elapsed time option to Buf, and move Buf to the end. =20 - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet= ->Length + @param[in, out] PacketCursor The pointer in the packet, on success Pack= etCursor + will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in - the generated packet. + the generated packet. =20 - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was= invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the op= tion. + @retval EFI_SUCCESS The option is appended successfully. =20 **/ -UINT8 * +EFI_STATUS Dhcp6AppendETOption ( - IN OUT UINT8 *Buf, - IN DHCP6_INSTANCE *Instance, - OUT UINT16 **Elapsed + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN DHCP6_INSTANCE *Instance, + OUT UINT16 **Elapsed ) { + UINT32 BytesNeeded; + UINT32 Length; + // // The format of elapsed time option: // @@ -806,27 +990,70 @@ Dhcp6AppendETOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // =20 + // + // Verify the arguments are valid + // + if (Packet =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor =3D=3D NULL) || (*PacketCursor =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (Instance =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((Elapsed =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >=3D Packet->Dhcp6.Option + (Packet->Size - sizeof = (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded =3D DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + // + // + 2 for elapsed-time + // + BytesNeeded +=3D sizeof (UINT16); + // + // Space remaining in the packet + // + Length =3D Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of elapsed-time option type. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapsedTime)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_CODE; =20 // // Fill the len of elapsed-time option, which is fixed. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (2)); - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2)); + *PacketCursor +=3D DHCP6_SIZE_OF_OPT_LEN; =20 // // Fill in elapsed time value with 0 value for now. The actual value is // filled in later just before the packet is transmitted. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (0)); - *Elapsed =3D (UINT16 *)Buf; - Buf +=3D 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0)); + *Elapsed =3D (UINT16 *)*PacketCursor; + *PacketCursor +=3D sizeof (UINT16); =20 - return Buf; + Packet->Length +=3D BytesNeeded; + + return EFI_SUCCESS; } =20 /** --=20 2.43.0 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114253): https://edk2.groups.io/g/devel/message/114253 Mute This Topic: https://groups.io/mt/103926731/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-