From 4f6b33b460226bc1a54d8af2c0f4fe195f2f04ce Mon Sep 17 00:00:00 2001 From: Fu Siyuan Date: Wed, 16 Nov 2016 13:36:37 +0800 Subject: [PATCH] MdeModulePkg: Check for the max DHCP packet length before use it. This patch updates the PXE driver to drop the input DHCP packet if it exceed the maximum length. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Fu Siyuan Reviewed-By: Wu Jiaxin --- .../Network/UefiPxeBcDxe/PxeBcDhcp.c | 23 +++++++++++++++++++ .../Network/UefiPxeBcDxe/PxeBcDhcp.h | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index eac955cd71..f03176b7ca 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -912,6 +912,14 @@ PxeBcDhcpCallBack ( case Dhcp4SendDiscover: case Dhcp4SendRequest: + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // If the to be sent packet exceeds the maximum length, abort the DHCP process. + // + Status = EFI_ABORTED; + break; + } + if (Mode->SendGUID) { // // send the system GUID instead of the MAC address as the hardware address @@ -942,6 +950,13 @@ PxeBcDhcpCallBack ( case Dhcp4RcvdOffer: Status = EFI_NOT_READY; + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // Ignore the incoming Offers which exceed the maximum length. + // + break; + } + if (Private->NumOffers < PXEBC_MAX_OFFER_NUM) { // // Cache the dhcp offers in Private->Dhcp4Offers[] @@ -967,6 +982,14 @@ PxeBcDhcpCallBack ( break; case Dhcp4RcvdAck: + if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) { + // + // Abort the DHCP if the ACK packet exceeds the maximum length. + // + Status = EFI_ABORTED; + break; + } + // // Cache Ack // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h index abdf05d3a5..614ea75e75 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h @@ -18,7 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define PXEBC_DHCP4_MAX_OPTION_NUM 16 #define PXEBC_DHCP4_MAX_OPTION_SIZE 312 -#define PXEBC_DHCP4_MAX_PACKET_SIZE 1472 +#define PXEBC_DHCP4_MAX_PACKET_SIZE (sizeof (EFI_PXE_BASE_CODE_PACKET)) #define PXEBC_DHCP4_S_PORT 67 #define PXEBC_DHCP4_C_PORT 68