mirror of https://github.com/acidanthera/audk.git
fac297724e
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Bug Details: PixieFail Bug #7 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message Change Overview: Performs two checks 1. Checks that the length of the duid is accurate > + // > + // Check that the minimum and maximum requirements are met > + // > + if ((OpLen < PXEBC_MIN_SIZE_OF_DUID) || (OpLen > PXEBC_MAX_SIZE_OF_DUID)) { > + Status = EFI_INVALID_PARAMETER; > + goto ON_ERROR; > + } 2. Ensures that the amount of data written to the buffer is tracked and never exceeds that > + // > + // Check that the option length is valid. > + // > + if ((DiscoverLen + OpLen + PXEBC_COMBINED_SIZE_OF_OPT_CODE_AND_LEN) > DiscoverLenNeeded) { > + Status = EFI_OUT_OF_RESOURCES; > + goto ON_ERROR; > + } Additional code clean up and fix for memory leak in case Option was NULL Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> |
||
|---|---|---|
| .. | ||
| GoogleTest | ||
| ComponentName.c | ||
| PxeBcBoot.c | ||
| PxeBcBoot.h | ||
| PxeBcDhcp4.c | ||
| PxeBcDhcp4.h | ||
| PxeBcDhcp6.c | ||
| PxeBcDhcp6.h | ||
| PxeBcDriver.c | ||
| PxeBcDriver.h | ||
| PxeBcImpl.c | ||
| PxeBcImpl.h | ||
| PxeBcMtftp.c | ||
| PxeBcMtftp.h | ||
| PxeBcSupport.c | ||
| PxeBcSupport.h | ||
| UefiPxeBcDxe.inf | ||
| UefiPxeBcDxe.uni | ||
| UefiPxeBcDxeExtra.uni | ||