0aa9ecf1e3
- edk2-Apply-uncrustify-changes-to-.c-.h-files-in-the-Netwo.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Apply-uncrustify-changes.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Apply-uncrustify-changes-p2.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852] - Resolves: RHEL-21840 (CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8]) - Resolves: RHEL-21844 (CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-8]) - Resolves: RHEL-21846 (CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-8]) - Resolves: RHEL-21848 (CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-8]) - Resolves: RHEL-21850 (CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-8]) - Resolves: RHEL-21852 (CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-8])
162 lines
5.3 KiB
Diff
162 lines
5.3 KiB
Diff
From 4bf844922a963cb20fb1e72ca11a65a673992ca2 Mon Sep 17 00:00:00 2001
|
|
From: Jon Maloy <jmaloy@redhat.com>
|
|
Date: Fri, 16 Feb 2024 10:48:05 -0500
|
|
Subject: [PATCH 14/15] NetworkPkg: Dhcp6Dxe: Removes duplicate check and
|
|
replaces with macro
|
|
|
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
|
RH-MergeRequest: 56: Pixiefail issues in NetworkPkg package
|
|
RH-Jira: RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852
|
|
RH-Acked-by: Gerd Hoffmann <None>
|
|
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
|
RH-Commit: [14/15] a943400f9267b219bf1fd202534500f82a2a4c56
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-21840
|
|
CVE: CVE-2023-45229
|
|
Upstream: Merged
|
|
|
|
commit af3fad99d6088881562e50149f414f76a5be0140
|
|
Author: Doug Flick <dougflick@microsoft.com>
|
|
Date: Tue Feb 13 10:46:01 2024 -0800
|
|
|
|
NetworkPkg: Dhcp6Dxe: Removes duplicate check and replaces with macro
|
|
|
|
Removes duplicate check after merge
|
|
|
|
>
|
|
> //
|
|
> // Verify the PacketCursor is within the packet
|
|
> //
|
|
> if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
> || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size -
|
|
sizeof (EFI_DHCP6_HEADER))))
|
|
> {
|
|
> return EFI_INVALID_PARAMETER;
|
|
> }
|
|
>
|
|
|
|
Converts the check to a macro and replaces all instances of the check
|
|
with the macro
|
|
|
|
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
|
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
|
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
|
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
|
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
|
|
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
---
|
|
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 43 +++++++++++++-----------------
|
|
1 file changed, 18 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
|
|
index 484c360a96..e172ffc2a2 100644
|
|
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
|
|
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
|
|
@@ -10,6 +10,15 @@
|
|
|
|
#include "Dhcp6Impl.h"
|
|
|
|
+//
|
|
+// Verifies the packet cursor is within the packet
|
|
+// otherwise it is invalid
|
|
+//
|
|
+#define IS_INVALID_PACKET_CURSOR(PacketCursor, Packet) \
|
|
+ (((*PacketCursor) < (Packet)->Dhcp6.Option) || \
|
|
+ ((*PacketCursor) >= (Packet)->Dhcp6.Option + ((Packet)->Size - sizeof(EFI_DHCP6_HEADER))) \
|
|
+ ) \
|
|
+
|
|
|
|
/**
|
|
Generate client Duid in the format of Duid-llt.
|
|
@@ -662,9 +671,7 @@ Dhcp6AppendOption (
|
|
//
|
|
// Verify the PacketCursor is within the packet
|
|
//
|
|
- if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
- {
|
|
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
@@ -681,15 +688,6 @@ Dhcp6AppendOption (
|
|
return EFI_BUFFER_TOO_SMALL;
|
|
}
|
|
|
|
- //
|
|
- // Verify the PacketCursor is within the packet
|
|
- //
|
|
- if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
- {
|
|
- return EFI_INVALID_PARAMETER;
|
|
- }
|
|
-
|
|
WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);
|
|
*PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
|
|
WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);
|
|
@@ -768,9 +766,7 @@ Dhcp6AppendIaAddrOption (
|
|
//
|
|
// Verify the PacketCursor is within the packet
|
|
//
|
|
- if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
- {
|
|
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
@@ -902,9 +898,7 @@ Dhcp6AppendIaOption (
|
|
//
|
|
// Verify the PacketCursor is within the packet
|
|
//
|
|
- if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
- {
|
|
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
@@ -966,14 +960,14 @@ Dhcp6AppendIaOption (
|
|
}
|
|
|
|
//
|
|
- // Fill the value of Ia option length
|
|
+ // Update the packet length
|
|
//
|
|
- *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
|
|
+ Packet->Length += BytesNeeded;
|
|
|
|
//
|
|
- // Update the packet length
|
|
+ // Fill the value of Ia option length
|
|
//
|
|
- Packet->Length += BytesNeeded;
|
|
+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
|
|
|
|
return EFI_SUCCESS;
|
|
}
|
|
@@ -982,6 +976,7 @@ Dhcp6AppendIaOption (
|
|
Append the appointed Elapsed time option to Buf, and move Buf to the end.
|
|
|
|
@param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ will be updated.
|
|
@param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
will be moved to the end of the option.
|
|
@param[in] Instance The pointer to the Dhcp6 instance.
|
|
@@ -1037,9 +1032,7 @@ Dhcp6AppendETOption (
|
|
//
|
|
// Verify the PacketCursor is within the packet
|
|
//
|
|
- if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
- {
|
|
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
--
|
|
2.39.3
|
|
|