edk2/edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch
Miroslav Rezanina 0aa9ecf1e3 * Tue Feb 27 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-12
- edk2-Apply-uncrustify-changes-to-.c-.h-files-in-the-Netwo.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Apply-uncrustify-changes.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Apply-uncrustify-changes-p2.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch [RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852]
- Resolves: RHEL-21840
  (CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-8])
- Resolves: RHEL-21844
  (CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-8])
- Resolves: RHEL-21846
  (CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-8])
- Resolves: RHEL-21848
  (CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-8])
- Resolves: RHEL-21850
  (CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-8])
- Resolves: RHEL-21852
  (CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-8])
2024-02-27 06:10:11 -05:00

162 lines
5.3 KiB
Diff

From 4bf844922a963cb20fb1e72ca11a65a673992ca2 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 14/15] NetworkPkg: Dhcp6Dxe: Removes duplicate check and
replaces with macro
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 56: Pixiefail issues in NetworkPkg package
RH-Jira: RHEL-21840 RHEL-21844 RHEL-21846 RHEL-21848 RHEL-21850 RHEL-21852
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Commit: [14/15] a943400f9267b219bf1fd202534500f82a2a4c56
JIRA: https://issues.redhat.com/browse/RHEL-21840
CVE: CVE-2023-45229
Upstream: Merged
commit af3fad99d6088881562e50149f414f76a5be0140
Author: Doug Flick <dougflick@microsoft.com>
Date: Tue Feb 13 10:46:01 2024 -0800
NetworkPkg: Dhcp6Dxe: Removes duplicate check and replaces with macro
Removes duplicate check after merge
>
> //
> // Verify the PacketCursor is within the packet
> //
> if ( (*PacketCursor < Packet->Dhcp6.Option)
> || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size -
sizeof (EFI_DHCP6_HEADER))))
> {
> return EFI_INVALID_PARAMETER;
> }
>
Converts the check to a macro and replaces all instances of the check
with the macro
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 43 +++++++++++++-----------------
1 file changed, 18 insertions(+), 25 deletions(-)
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index 484c360a96..e172ffc2a2 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -10,6 +10,15 @@
#include "Dhcp6Impl.h"
+//
+// Verifies the packet cursor is within the packet
+// otherwise it is invalid
+//
+#define IS_INVALID_PACKET_CURSOR(PacketCursor, Packet) \
+ (((*PacketCursor) < (Packet)->Dhcp6.Option) || \
+ ((*PacketCursor) >= (Packet)->Dhcp6.Option + ((Packet)->Size - sizeof(EFI_DHCP6_HEADER))) \
+ ) \
+
/**
Generate client Duid in the format of Duid-llt.
@@ -662,9 +671,7 @@ Dhcp6AppendOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
@@ -681,15 +688,6 @@ Dhcp6AppendOption (
return EFI_BUFFER_TOO_SMALL;
}
- //
- // Verify the PacketCursor is within the packet
- //
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
- return EFI_INVALID_PARAMETER;
- }
-
WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);
*PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);
@@ -768,9 +766,7 @@ Dhcp6AppendIaAddrOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
@@ -902,9 +898,7 @@ Dhcp6AppendIaOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
@@ -966,14 +960,14 @@ Dhcp6AppendIaOption (
}
//
- // Fill the value of Ia option length
+ // Update the packet length
//
- *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
+ Packet->Length += BytesNeeded;
//
- // Update the packet length
+ // Fill the value of Ia option length
//
- Packet->Length += BytesNeeded;
+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
return EFI_SUCCESS;
}
@@ -982,6 +976,7 @@ Dhcp6AppendIaOption (
Append the appointed Elapsed time option to Buf, and move Buf to the end.
@param[in, out] Packet A pointer to the packet, on success Packet->Length
+ will be updated.
@param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
will be moved to the end of the option.
@param[in] Instance The pointer to the Dhcp6 instance.
@@ -1037,9 +1032,7 @@ Dhcp6AppendETOption (
//
// Verify the PacketCursor is within the packet
//
- if ( (*PacketCursor < Packet->Dhcp6.Option)
- || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
- {
+ if (IS_INVALID_PACKET_CURSOR (PacketCursor, Packet)) {
return EFI_INVALID_PARAMETER;
}
--
2.39.3