From f31453e8d6542461d92d835e0b79fec8b039174d Mon Sep 17 00:00:00 2001 From: "Doug Flick via groups.io" Date: Fri, 26 Jan 2024 05:54:43 +0800 Subject: [PATCH] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Bug Details: PixieFail Bug #2 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Changes Overview: > -UINT8 * > +EFI_STATUS > Dhcp6AppendOption ( > - IN OUT UINT8 *Buf, > - IN UINT16 OptType, > - IN UINT16 OptLen, > - IN UINT8 *Data > + IN OUT EFI_DHCP6_PACKET *Packet, > + IN OUT UINT8 **PacketCursor, > + IN UINT16 OptType, > + IN UINT16 OptLen, > + IN UINT8 *Data > ); Dhcp6AppendOption() and variants can return errors now. All callsites are adapted accordingly. It gets passed in EFI_DHCP6_PACKET as additional parameter ... > + // > + // Verify the PacketCursor is within the packet > + // > + if ( (*PacketCursor < Packet->Dhcp6.Option) > + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) > + { > + return EFI_INVALID_PARAMETER; > + } ... so it can look at Packet->Size when checking buffer space. Also to allow Packet->Length updates. Lots of checks added. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] Reviewed-by: Saloni Kasbekar --- NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++ NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++---------- NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++----- NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 78 +++--- 4 files changed, 666 insertions(+), 237 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h index 0eb9c669b5..f2422c2f28 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h @@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE; #define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S') #define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I') +// +// For more information on DHCP options see RFC 8415, Section 21.1 +// +// The format of DHCP options is: +// +// 0 1 2 3 +// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | option-code | option-len | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// | option-data | +// | (option-len octets) | +// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +// +#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16)) +#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16)) + +// +// Combined size of Code and Length +// +#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \ + DHCP6_SIZE_OF_OPT_LEN) + +STATIC_ASSERT ( + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN == 4, + "Combined size of Code and Length must be 4 per RFC 8415" + ); + +// +// Offset to the length is just past the code +// +#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE) +STATIC_ASSERT ( + DHCP6_OPT_LEN_OFFSET (0) == 2, + "Offset of length is + 2 past start of option" + ); + +#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN) +STATIC_ASSERT ( + DHCP6_OPT_DATA_OFFSET (0) == 4, + "Offset to option data should be +4 from start of option" + ); + #define DHCP6_PACKET_ALL 0 #define DHCP6_PACKET_STATEFUL 1 #define DHCP6_PACKET_STATELESS 2 diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index dcd01e6268..bf5aa7a769 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -3,9 +3,9 @@ (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation SPDX-License-Identifier: BSD-2-Clause-Patent - **/ #include "Dhcp6Impl.h" @@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; @@ -944,54 +945,64 @@ Dhcp6SendSolicitMsg ( Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendIaOption ( - Cursor, + Status = Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index]; - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } - // - // Determine the size/length of packet. - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg ( Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -1020,6 +1029,14 @@ Dhcp6SendSolicitMsg ( Elapsed, Instance->Config->SolicitRetransmission ); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** @@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1124,51 +1142,67 @@ Dhcp6SendRequestMsg ( Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendIaOption ( - Cursor, + Status = Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index]; - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } - // - // Determine the size/length of packet. - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // @@ -1177,8 +1211,7 @@ Dhcp6SendRequestMsg ( Status = Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet); if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg ( Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** @@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE; @@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg ( Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.Header.MessageType); + Status = Dhcp6AppendIaOption ( + Packet, + &Cursor, + DecIa, + 0, + 0, + Packet->Dhcp6.Header.MessageType + ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - // - // Determine the size/length of packet. - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg ( Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** @@ -1399,7 +1462,8 @@ Dhcp6SendReleaseMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE; @@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg ( Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } // // ServerId is extracted from packet, it's network order. // - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Header.MessageType); + Status = Dhcp6AppendIaOption ( + Packet, + &Cursor, + RelIa, + 0, + 0, + Packet->Dhcp6.Header.MessageType + ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - // - // Determine the size/length of packet - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendRelease, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg ( Instance->IaCb.Ia->State = Dhcp6Releasing; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** @@ -1529,7 +1615,8 @@ Dhcp6SendRenewRebindMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1543,26 +1630,38 @@ Dhcp6SendRenewRebindMsg ( Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendIaOption ( - Cursor, + Status = Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } if (!RebindRequest) { // @@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg ( Dhcp6OptServerId ); if (Option == NULL) { - FreePool (Packet); - return EFI_DEVICE_ERROR; + Status = EFI_DEVICE_ERROR; + goto ON_ERROR; } ServerId = (EFI_DHCP6_DUID *)(Option + 2); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptServerId), ServerId->Length, ServerId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } // @@ -1597,18 +1700,18 @@ Dhcp6SendRenewRebindMsg ( // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index]; - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } - // - // Determine the size/length of packet. - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // @@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg ( Event = (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing; Status = Dhcp6CallbackUser (Instance, Event, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg ( Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** @@ -1811,7 +1918,8 @@ Dhcp6SendInfoRequestMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1828,44 +1936,56 @@ Dhcp6SendInfoRequestMsg ( if (SendClientId) { Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, OptionRequest->OpCode, OptionRequest->OpLen, OptionRequest->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < OptionCount; Index++) { UserOpt = OptionList[Index]; - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } - // - // Determine the size/length of packet. - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // @@ -1877,16 +1997,22 @@ Dhcp6SendInfoRequestMsg ( // Send info-request packet with no state. // Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** @@ -1937,7 +2063,8 @@ Dhcp6SendConfirmMsg ( // Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen); if (Packet == NULL) { - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto ON_ERROR; } Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen; @@ -1951,54 +2078,64 @@ Dhcp6SendConfirmMsg ( Cursor = Packet->Dhcp6.Option; Length = HTONS (ClientId->Length); - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, HTONS (Dhcp6OptClientId), Length, ClientId->Duid ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendETOption ( - Cursor, + Status = Dhcp6AppendETOption ( + Packet, + &Cursor, Instance, &Elapsed ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } - Cursor = Dhcp6AppendIaOption ( - Cursor, + Status = Dhcp6AppendIaOption ( + Packet, + &Cursor, Instance->IaCb.Ia, Instance->IaCb.T1, Instance->IaCb.T2, Packet->Dhcp6.Header.MessageType ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } // // Append user-defined when configurate Dhcp6 service. // for (Index = 0; Index < Instance->Config->OptionCount; Index++) { UserOpt = Instance->Config->OptionList[Index]; - Cursor = Dhcp6AppendOption ( - Cursor, + Status = Dhcp6AppendOption ( + Packet, + &Cursor, UserOpt->OpCode, UserOpt->OpLen, UserOpt->Data ); + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } - // - // Determine the size/length of packet. - // - Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option); ASSERT (Packet->Size > Packet->Length + 8); // // Callback to user with the packet to be sent and check the user's feedback. // Status = Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // @@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg ( Instance->StartTime = 0; Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed); - if (EFI_ERROR (Status)) { - FreePool (Packet); - return Status; + goto ON_ERROR; } // // Enqueue the sent packet for the retransmission in case reply timeout. // return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL); + +ON_ERROR: + + if (Packet) { + FreePool (Packet); + } + + return Status; } /** diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c index e6368b5b1c..705c665c51 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c @@ -577,24 +577,33 @@ Dhcp6OnTransmitted ( } /** - Append the option to Buf, and move Buf to the end. + Append the option to Buf, update the length of packet, and move Buf to the end. - @param[in, out] Buf The pointer to the buffer. - @param[in] OptType The option type. - @param[in] OptLen The length of option contents. - @param[in] Data The pointer to the option content. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. + @param[in] OptType The option type. + @param[in] OptLen The length of option contents. + @param[in] Data The pointer to the option content. - @return Buf The position to append the next option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendOption ( - IN OUT UINT8 *Buf, - IN UINT16 OptType, - IN UINT16 OptLen, - IN UINT8 *Data + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN UINT16 OptType, + IN UINT16 OptLen, + IN UINT8 *Data ) { + UINT32 Length; + UINT32 BytesNeeded; + // // The format of Dhcp6 option: // @@ -607,35 +616,95 @@ Dhcp6AppendOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // - ASSERT (OptLen != 0); + // + // Verify the arguments are valid + // + if (Packet == NULL) { + return EFI_INVALID_PARAMETER; + } - WriteUnaligned16 ((UINT16 *)Buf, OptType); - Buf += 2; - WriteUnaligned16 ((UINT16 *)Buf, OptLen); - Buf += 2; - CopyMem (Buf, Data, NTOHS (OptLen)); - Buf += NTOHS (OptLen); + if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { + return EFI_INVALID_PARAMETER; + } - return Buf; + if (Data == NULL) { + return EFI_INVALID_PARAMETER; + } + + if (OptLen == 0) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + // + // Calculate the bytes needed for the option + // + BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen); + + // + // Space remaining in the packet + // + Length = Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType); + *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; + WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen); + *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; + CopyMem (*PacketCursor, Data, NTOHS (OptLen)); + *PacketCursor += NTOHS (OptLen); + + // Update the packet length by the length of the option + 4 bytes + Packet->Length += BytesNeeded; + + return EFI_SUCCESS; } /** Append the appointed IA Address option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. @param[in] IaAddr The pointer to the IA Address. @param[in] MessageType Message type of DHCP6 package. - @return Buf The position to append the next option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaAddrOption ( - IN OUT UINT8 *Buf, + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, IN EFI_DHCP6_IA_ADDRESS *IaAddr, IN UINT32 MessageType ) { + UINT32 BytesNeeded; + UINT32 Length; + // The format of the IA Address option is: // // 0 1 2 3 @@ -657,17 +726,60 @@ Dhcp6AppendIaAddrOption ( // . . // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + // + // Verify the arguments are valid + // + if (Packet == NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (IaAddr == NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + BytesNeeded += sizeof (EFI_IPv6_ADDRESS); + // + // Even if the preferred-lifetime is 0, it still needs to store it. + // + BytesNeeded += sizeof (IaAddr->PreferredLifetime); + // + // Even if the valid-lifetime is 0, it still needs to store it. + // + BytesNeeded += sizeof (IaAddr->ValidLifetime); + + // + // Space remaining in the packet + // + Length = Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of Ia Address option type // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr)); - Buf += 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr)); + *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; - WriteUnaligned16 ((UINT16 *)Buf, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS))); - Buf += 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS))); + *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; - CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); - Buf += sizeof (EFI_IPv6_ADDRESS); + CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS)); + *PacketCursor += sizeof (EFI_IPv6_ADDRESS); // // Fill the value of preferred-lifetime and valid-lifetime. @@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption ( // should set to 0 when initiate a Confirm message. // if (MessageType != Dhcp6MsgConfirm) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->PreferredLifetime)); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLifetime)); } - Buf += 4; + *PacketCursor += sizeof (IaAddr->PreferredLifetime); if (MessageType != Dhcp6MsgConfirm) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime)); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime)); } - Buf += 4; + *PacketCursor += sizeof (IaAddr->ValidLifetime); - return Buf; + // + // Update the packet length + // + Packet->Length += BytesNeeded; + + return EFI_SUCCESS; } /** Append the appointed Ia option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaOption ( - IN OUT UINT8 *Buf, - IN EFI_DHCP6_IA *Ia, - IN UINT32 T1, - IN UINT32 T2, - IN UINT32 MessageType + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN EFI_DHCP6_IA *Ia, + IN UINT32 T1, + IN UINT32 T2, + IN UINT32 MessageType ) { - UINT8 *AddrOpt; - UINT16 *Len; - UINTN Index; + UINT8 *AddrOpt; + UINT16 *Len; + UINTN Index; + UINT32 BytesNeeded; + UINT32 Length; + EFI_STATUS Status; // // The format of IA_NA and IA_TA option: @@ -733,32 +859,74 @@ Dhcp6AppendIaOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // + // + // Verify the arguments are valid + // + if (Packet == NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (Ia == NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + BytesNeeded += sizeof (Ia->Descriptor.IaId); + // + // + N for the IA_NA-options/IA_TA-options + // Dhcp6AppendIaAddrOption will need to check the length for each address + // + if (Ia->Descriptor.Type == Dhcp6OptIana) { + BytesNeeded += sizeof (T1) + sizeof (T2); + } + + // + // Space remaining in the packet + // + Length = (UINT16)(Packet->Size - Packet->Length); + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of Ia option type // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Ia->Descriptor.Type)); - Buf += 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type)); + *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; // // Fill the len of Ia option later, keep the pointer first // - Len = (UINT16 *)Buf; - Buf += 2; + Len = (UINT16 *)*PacketCursor; + *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; // // Fill the value of iaid // - WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->Descriptor.IaId)); - Buf += 4; + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId)); + *PacketCursor += sizeof (Ia->Descriptor.IaId); // // Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specified. // if (Ia->Descriptor.Type == Dhcp6OptIana) { - WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 != 0) ? T1 : 0xffffffff)); - Buf += 4; - WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 != 0) ? T2 : 0xffffffff)); - Buf += 4; + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 != 0) ? T1 : 0xffffffff)); + *PacketCursor += sizeof (T1); + WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 != 0) ? T2 : 0xffffffff)); + *PacketCursor += sizeof (T2); } // @@ -766,35 +934,51 @@ Dhcp6AppendIaOption ( // for (Index = 0; Index < Ia->IaAddressCount; Index++) { AddrOpt = (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDRESS); - Buf = Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType); + Status = Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType); + if (EFI_ERROR (Status)) { + return Status; + } } // // Fill the value of Ia option length // - *Len = HTONS ((UINT16)(Buf - (UINT8 *)Len - 2)); + *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2)); - return Buf; + // + // Update the packet length + // + Packet->Length += BytesNeeded; + + return EFI_SUCCESS; } /** Append the appointed Elapsed time option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in - the generated packet. + the generated packet. - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendETOption ( - IN OUT UINT8 *Buf, - IN DHCP6_INSTANCE *Instance, - OUT UINT16 **Elapsed + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN DHCP6_INSTANCE *Instance, + OUT UINT16 **Elapsed ) { + UINT32 BytesNeeded; + UINT32 Length; + // // The format of elapsed time option: // @@ -806,27 +990,70 @@ Dhcp6AppendETOption ( // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // + // + // Verify the arguments are valid + // + if (Packet == NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PacketCursor == NULL) || (*PacketCursor == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (Instance == NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((Elapsed == NULL)) { + return EFI_INVALID_PARAMETER; + } + + // + // Verify the PacketCursor is within the packet + // + if ( (*PacketCursor < Packet->Dhcp6.Option) + || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER)))) + { + return EFI_INVALID_PARAMETER; + } + + BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN; + // + // + 2 for elapsed-time + // + BytesNeeded += sizeof (UINT16); + // + // Space remaining in the packet + // + Length = Packet->Size - Packet->Length; + if (Length < BytesNeeded) { + return EFI_BUFFER_TOO_SMALL; + } + // // Fill the value of elapsed-time option type. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapsedTime)); - Buf += 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime)); + *PacketCursor += DHCP6_SIZE_OF_OPT_CODE; // // Fill the len of elapsed-time option, which is fixed. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (2)); - Buf += 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2)); + *PacketCursor += DHCP6_SIZE_OF_OPT_LEN; // // Fill in elapsed time value with 0 value for now. The actual value is // filled in later just before the packet is transmitted. // - WriteUnaligned16 ((UINT16 *)Buf, HTONS (0)); - *Elapsed = (UINT16 *)Buf; - Buf += 2; + WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0)); + *Elapsed = (UINT16 *)*PacketCursor; + *PacketCursor += sizeof (UINT16); - return Buf; + Packet->Length += BytesNeeded; + + return EFI_SUCCESS; } /** diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h index 046454ff4a..06947f6c1f 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h @@ -160,69 +160,85 @@ Dhcp6OnTransmitted ( ); /** - Append the appointed option to the buf, and move the buf to the end. + Append the option to Buf, update the length of packet, and move Buf to the end. - @param[in, out] Buf The pointer to buffer. - @param[in] OptType The option type. - @param[in] OptLen The length of option content.s - @param[in] Data The pointer to the option content. - - @return Buf The position to append the next option. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. + @param[in] OptType The option type. + @param[in] OptLen The length of option contents. + @param[in] Data The pointer to the option content. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendOption ( - IN OUT UINT8 *Buf, - IN UINT16 OptType, - IN UINT16 OptLen, - IN UINT8 *Data + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN UINT16 OptType, + IN UINT16 OptLen, + IN UINT8 *Data ); /** - Append the Ia option to Buf, and move Buf to the end. - - @param[in, out] Buf The pointer to the position to append. + Append the appointed Ia option to Buf, update the Ia option length, and move Buf + to the end of the option. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + will be updated. + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. @param[in] Ia The pointer to the Ia. @param[in] T1 The time of T1. @param[in] T2 The time of T2. @param[in] MessageType Message type of DHCP6 package. - @return Buf The position to append the next Ia option. - + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendIaOption ( - IN OUT UINT8 *Buf, - IN EFI_DHCP6_IA *Ia, - IN UINT32 T1, - IN UINT32 T2, - IN UINT32 MessageType + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN EFI_DHCP6_IA *Ia, + IN UINT32 T1, + IN UINT32 T2, + IN UINT32 MessageType ); /** Append the appointed Elapsed time option to Buf, and move Buf to the end. - @param[in, out] Buf The pointer to the position to append. + @param[in, out] Packet A pointer to the packet, on success Packet->Length + @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor + will be moved to the end of the option. @param[in] Instance The pointer to the Dhcp6 instance. @param[out] Elapsed The pointer to the elapsed time value in the generated packet. - @return Buf The position to append the next Ia option. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ -UINT8 * +EFI_STATUS Dhcp6AppendETOption ( - IN OUT UINT8 *Buf, - IN DHCP6_INSTANCE *Instance, - OUT UINT16 **Elapsed + IN OUT EFI_DHCP6_PACKET *Packet, + IN OUT UINT8 **PacketCursor, + IN DHCP6_INSTANCE *Instance, + OUT UINT16 **Elapsed ); /** Set the elapsed time based on the given instance and the pointer to the elapsed time option. - @param[in] Elapsed The pointer to the position to append. - @param[in] Instance The pointer to the Dhcp6 instance. + @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid + @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option. + @retval EFI_SUCCESS The option is appended successfully. **/ VOID SetElapsedTime (