diff options
author | Fu Siyuan <siyuan.fu@intel.com> | 2016-11-16 13:36:37 +0800 |
---|---|---|
committer | Fu Siyuan <siyuan.fu@intel.com> | 2016-11-21 09:44:24 +0800 |
commit | 9cc6e36325f921f2caa4ba7f0c00a8ab4ae88cf9 (patch) | |
tree | 0c0052a1d8786f3de9f5eaf30698c215f6be3be4 | |
parent | c9eb8f9e4b255069821a7c4be85af9d55531058e (diff) | |
download | edk2-9cc6e36325f921f2caa4ba7f0c00a8ab4ae88cf9.zip edk2-9cc6e36325f921f2caa4ba7f0c00a8ab4ae88cf9.tar.gz edk2-9cc6e36325f921f2caa4ba7f0c00a8ab4ae88cf9.tar.bz2 |
MdeModulePkg: Check for the max DHCP packet length before use it.
This patch updates the PXE driver to drop the input DHCP packet if it
exceed the maximum length.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-By: Wu Jiaxin <jiaxin.wu@intel.com>
(cherry picked from commit 4f6b33b460226bc1a54d8af2c0f4fe195f2f04ce)
-rw-r--r-- | MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c | 23 | ||||
-rw-r--r-- | MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h | 2 |
2 files changed, 24 insertions, 1 deletions
diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index 6c06373..156154c 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -908,6 +908,14 @@ PxeBcDhcpCallBack ( case Dhcp4SendDiscover:
case Dhcp4SendRequest:
+ if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) {
+ //
+ // If the to be sent packet exceeds the maximum length, abort the DHCP process.
+ //
+ Status = EFI_ABORTED;
+ break;
+ }
+
if (Mode->SendGUID) {
//
// send the system GUID instead of the MAC address as the hardware address
@@ -938,6 +946,13 @@ PxeBcDhcpCallBack ( case Dhcp4RcvdOffer:
Status = EFI_NOT_READY;
+ if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) {
+ //
+ // Ignore the incoming Offers which exceed the maximum length.
+ //
+ break;
+ }
+
if (Private->NumOffers < PXEBC_MAX_OFFER_NUM) {
//
// Cache the dhcp offers in Private->Dhcp4Offers[]
@@ -963,6 +978,14 @@ PxeBcDhcpCallBack ( break;
case Dhcp4RcvdAck:
+ if (Packet->Length > PXEBC_DHCP4_MAX_PACKET_SIZE) {
+ //
+ // Abort the DHCP if the ACK packet exceeds the maximum length.
+ //
+ Status = EFI_ABORTED;
+ break;
+ }
+
//
// Cache Ack
//
diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h index 1626060..bdf137f 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.h @@ -18,7 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define PXEBC_DHCP4_MAX_OPTION_NUM 16
#define PXEBC_DHCP4_MAX_OPTION_SIZE 312
-#define PXEBC_DHCP4_MAX_PACKET_SIZE 1472
+#define PXEBC_DHCP4_MAX_PACKET_SIZE (sizeof (EFI_PXE_BASE_CODE_PACKET))
#define PXEBC_DHCP4_S_PORT 67
#define PXEBC_DHCP4_C_PORT 68
|