NetworkPkg/Dhcp6Dxe: Fix sanitizer issues

* EFI_DHCP6_DUID structure declares Duid[1], so the size of that structure is not large enough to hold an entire Duid. Instead, compute the correct size to allocate an EFI_DHCP6_DUID structure. * Dhcp6AppendOption() takes a length parameter that in network order. Update test cases to make sure a network order length is passed in. A value of 0x0004 was being passed in and was then converted to 0x0400 length and buffer overflow was detected. Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
2025-04-08 17:05:09 +02:00 · 2024-10-23 18:51:22 -07:00 · 2024-10-23 18:51:22 -07:00 · 599c8309a5
commit 599c8309a5
parent 171335e34e
1 changed files with 3 additions and 3 deletions
--- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
+++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp
@ -161,7 +161,7 @@ TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) {
  Packet->Length = sizeof (EFI_DHCP6_HEADER);
  OriginalLength = Packet->Length;

-  UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID));
+  UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (OFFSET_OF (EFI_DHCP6_DUID, Duid) + sizeof (Duid));
  ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL);

  UntrustedDuid->Length = NTOHS (sizeof (Duid));
@ -763,7 +763,7 @@ TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) {
             Dhcp6SeekStsOptionTest::Packet,
             &Option,
             Dhcp6OptStatusCode,
-             SearchPatternLength,
+             HTONS (SearchPatternLength),
             (UINT8 *)&SearchPattern
             );
  ASSERT_EQ (Status, EFI_SUCCESS);
@ -815,7 +815,7 @@ TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) {
             Dhcp6SeekStsOptionTest::Packet,
             &Option,
             Dhcp6OptStatusCode,
-             SearchPatternLength,
+             HTONS (SearchPatternLength),
             (UINT8 *)&SearchPattern
             );
  ASSERT_EQ (Status, EFI_SUCCESS);