tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-28 16:14:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

NetworkPkg: Check received packet size before use it.

Browse Source 
Arbitrary length of packet may be received from network, including the
packets with zero payload data or malformed protocol header. So the code
much check the actually received data size before using it. For example, in
current edk2 network stack, an zero payload UDP packet may cause the
platform ASSERT in NetbufFromExt() because of the zero fragment number.
This patch update the IpIoLib and UdpIoLib to check and discard the zero
payload data packet to avoid above assert. Some other network drivers are
also updated to check the packet size to guarantee the minimum length of
protocol header is received from upper layer driver.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
This commit is contained in:
Fu Siyuan 2016-03-28 11:01:03 +08:00
parent 1b31acb66c
commit 37b680116d
4 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
View File

@ -2,7 +2,7 @@
Dhcp6 internal functions implementation. Dhcp6 internal functions implementation.
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR> (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -2827,6 +2827,10 @@ Dhcp6ReceivePacket (
return ; return ;
} }
if (Udp6Wrap->TotalSize < sizeof (EFI_DHCP6_HEADER)) {
goto ON_CONTINUE;
}
// //
// Copy the net buffer received from upd6 to a Dhcp6 packet. // Copy the net buffer received from upd6 to a Dhcp6 packet.
// //

6
NetworkPkg/DnsDxe/DnsImpl.c
View File

@ -1616,6 +1616,10 @@ DnsOnPacketReceived (
ASSERT (Packet != NULL); ASSERT (Packet != NULL);
if (Packet->TotalSize <= sizeof (DNS_HEADER)) {
goto ON_EXIT;
}
RcvString = NetbufGetByte (Packet, 0, NULL); RcvString = NetbufGetByte (Packet, 0, NULL);
ASSERT (RcvString != NULL); ASSERT (RcvString != NULL);
@ -1624,7 +1628,7 @@ DnsOnPacketReceived (
// //
ParseDnsResponse (Instance, RcvString, &Completed); ParseDnsResponse (Instance, RcvString, &Completed);
ON_EXIT: ON_EXIT:
if (Packet != NULL) { if (Packet != NULL) {
NetbufFree (Packet); NetbufFree (Packet);

13
NetworkPkg/TcpDxe/TcpInput.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
TCP input process routines. TCP input process routines.
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -748,11 +748,18 @@ TcpInput (
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL); Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL); ASSERT (Head != NULL);
if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
goto DISCARD;
}
Len = Nbuf->TotalSize - (Head->HeadLen << 2); Len = Nbuf->TotalSize - (Head->HeadLen << 2);
if ((Head->HeadLen < 5) || (Len < 0)) { if ((Head->HeadLen < 5) || (Len < 0)) {
DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n")); DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
goto DISCARD; goto DISCARD;
} }
@ -1560,6 +1567,10 @@ TcpIcmpInput (
BOOLEAN IcmpErrIsHard; BOOLEAN IcmpErrIsHard;
BOOLEAN IcmpErrNotify; BOOLEAN IcmpErrNotify;
if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
goto CLEAN_EXIT;
}
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL); Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL); ASSERT (Head != NULL);

13
NetworkPkg/Udp6Dxe/Udp6Impl.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
Udp6 driver's whole implementation. Udp6 driver's whole implementation.
Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -1598,6 +1598,11 @@ Udp6Demultiplex (
EFI_UDP6_SESSION_DATA *Udp6Session; EFI_UDP6_SESSION_DATA *Udp6Session;
UINTN Enqueued; UINTN Enqueued;
if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
NetbufFree (Packet);
return;
}
// //
// Get the datagram header from the packet buffer. // Get the datagram header from the packet buffer.
// //
@ -1619,6 +1624,7 @@ Udp6Demultiplex (
// //
// Wrong checksum. // Wrong checksum.
// //
NetbufFree (Packet);
return; return;
} }
} }
@ -1834,6 +1840,11 @@ Udp6IcmpHandler (
LIST_ENTRY *Entry; LIST_ENTRY *Entry;
UDP6_INSTANCE_DATA *Instance; UDP6_INSTANCE_DATA *Instance;
if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
NetbufFree (Packet);
return;
}
Udp6Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL); Udp6Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Udp6Header != NULL); ASSERT (Udp6Header != NULL);