79 lines
2.3 KiB
Diff
79 lines
2.3 KiB
Diff
From d51f47c8654f44a787d70b675830ebc7a4ea74f6 Mon Sep 17 00:00:00 2001
|
|
From: Jon Maloy <jmaloy@redhat.com>
|
|
Date: Thu, 15 Feb 2024 11:51:09 -0500
|
|
Subject: [PATCH 06/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
|
|
|
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
|
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
|
|
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
|
|
RH-Acked-by: Gerd Hoffmann <None>
|
|
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
RH-Commit: [6/18] 58ad218f1216ac1ea34ca01ef8cc21e207e2eaf2
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-21845
|
|
CVE: CVE-2022-45231
|
|
Upstream: Merged
|
|
|
|
commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd
|
|
Author: Doug Flick <dougflick@microsoft.com>
|
|
Date: Fri Jan 26 05:54:48 2024 +0800
|
|
|
|
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
|
|
|
|
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536
|
|
|
|
Bug Overview:
|
|
PixieFail Bug #3
|
|
CVE-2023-45231
|
|
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
|
CWE-125 Out-of-bounds Read
|
|
|
|
Out-of-bounds read when handling a ND Redirect message with truncated
|
|
options
|
|
|
|
Change Overview:
|
|
|
|
Adds a check to prevent truncated options from being parsed
|
|
+ //
|
|
+ // Cannot process truncated options.
|
|
+ // Cannot process options with a length of 0 as there is no Type
|
|
field.
|
|
+ //
|
|
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
|
|
+ return FALSE;
|
|
+ }
|
|
|
|
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
|
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
|
|
|
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
|
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
|
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
---
|
|
NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
|
|
index 199eea124d..8718d5d875 100644
|
|
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
|
|
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
|
|
@@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
|
|
return FALSE;
|
|
}
|
|
|
|
+ //
|
|
+ // Cannot process truncated options.
|
|
+ // Cannot process options with a length of 0 as there is no Type field.
|
|
+ //
|
|
+ if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
Offset = 0;
|
|
|
|
//
|
|
--
|
|
2.39.3
|
|
|