diff options
| author | Fu Siyuan <siyuan.fu@intel.com> | 2016-03-28 11:00:31 +0800 |
|---|---|---|
| committer | Fu Siyuan <siyuan.fu@intel.com> | 2016-04-01 13:30:08 +0800 |
| commit | 1b31acb66c026f2791c959a4ec9b55c04d583c22 (patch) | |
| tree | 42fc503e3bf61e9c67de7b063898830d5aa3704e /MdeModulePkg | |
| parent | d9ba76b489ea26de8551d32651c726ad992377b5 (diff) | |
| download | edk2-1b31acb66c026f2791c959a4ec9b55c04d583c22.zip edk2-1b31acb66c026f2791c959a4ec9b55c04d583c22.tar.gz edk2-1b31acb66c026f2791c959a4ec9b55c04d583c22.tar.bz2 | |
MdeModulePkg: Check received packet size before use it.
Arbitrary length of packet may be received from network, including the
packets with zero payload data or malformed protocol header. So the code
much check the actually received data size before using it. For example, in
current edk2 network stack, an zero payload UDP packet may cause the
platform ASSERT in NetbufFromExt() because of the zero fragment number.
This patch update the IpIoLib and UdpIoLib to check and discard the zero
payload data packet to avoid above assert. Some other network drivers are
also updated to check the packet size to guarantee the minimum length of
protocol header is received from upper layer driver.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
Diffstat (limited to 'MdeModulePkg')
| -rw-r--r-- | MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.c | 78 | ||||
| -rw-r--r-- | MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c | 23 | ||||
| -rw-r--r-- | MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c | 17 | ||||
| -rw-r--r-- | MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c | 14 | ||||
| -rw-r--r-- | MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c | 13 |
5 files changed, 111 insertions, 34 deletions
diff --git a/MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.c b/MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.c index cc93c2b..ab4df80 100644 --- a/MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.c +++ b/MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.c @@ -2,7 +2,7 @@ IpIo Library.
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
-Copyright (c) 2005 - 2009, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -1029,42 +1029,56 @@ IpIoListenHandlerDpc ( if (IpIo->IpVersion == IP_VERSION_4) {
if ((EFI_IP4 (RxData->Ip4RxData.Header->SourceAddress) != 0) &&
- !NetIp4IsUnicast (EFI_NTOHL (((EFI_IP4_RECEIVE_DATA *) RxData)->Header->SourceAddress), 0)) {
+ !NetIp4IsUnicast (EFI_NTOHL (((EFI_IP4_RECEIVE_DATA *) RxData)->Header->SourceAddress), 0)) {
+ //
+ // The source address is not zero and it's not a unicast IP address, discard it.
+ //
+ goto CleanUp;
+ }
+
+ if (RxData->Ip4RxData.DataLength == 0) {
+ //
+ // Discard zero length data payload packet.
+ //
+ goto CleanUp;
+ }
+
//
- // The source address is not zero and it's not a unicast IP address, discard it.
+ // Create a netbuffer representing IPv4 packet
//
- goto CleanUp;
- }
-
- //
- // Create a netbuffer representing IPv4 packet
- //
- Pkt = NetbufFromExt (
- (NET_FRAGMENT *) RxData->Ip4RxData.FragmentTable,
- RxData->Ip4RxData.FragmentCount,
- 0,
- 0,
- IpIoExtFree,
- RxData->Ip4RxData.RecycleSignal
- );
- if (NULL == Pkt) {
- goto CleanUp;
- }
+ Pkt = NetbufFromExt (
+ (NET_FRAGMENT *) RxData->Ip4RxData.FragmentTable,
+ RxData->Ip4RxData.FragmentCount,
+ 0,
+ 0,
+ IpIoExtFree,
+ RxData->Ip4RxData.RecycleSignal
+ );
+ if (NULL == Pkt) {
+ goto CleanUp;
+ }
- //
- // Create a net session
- //
- Session.Source.Addr[0] = EFI_IP4 (RxData->Ip4RxData.Header->SourceAddress);
- Session.Dest.Addr[0] = EFI_IP4 (RxData->Ip4RxData.Header->DestinationAddress);
- Session.IpHdr.Ip4Hdr = RxData->Ip4RxData.Header;
- Session.IpHdrLen = RxData->Ip4RxData.HeaderLength;
- Session.IpVersion = IP_VERSION_4;
+ //
+ // Create a net session
+ //
+ Session.Source.Addr[0] = EFI_IP4 (RxData->Ip4RxData.Header->SourceAddress);
+ Session.Dest.Addr[0] = EFI_IP4 (RxData->Ip4RxData.Header->DestinationAddress);
+ Session.IpHdr.Ip4Hdr = RxData->Ip4RxData.Header;
+ Session.IpHdrLen = RxData->Ip4RxData.HeaderLength;
+ Session.IpVersion = IP_VERSION_4;
} else {
if (!NetIp6IsValidUnicast(&RxData->Ip6RxData.Header->SourceAddress)) {
goto CleanUp;
}
+ if (RxData->Ip6RxData.DataLength == 0) {
+ //
+ // Discard zero length data payload packet.
+ //
+ goto CleanUp;
+ }
+
//
// Create a netbuffer representing IPv6 packet
//
@@ -1279,6 +1293,14 @@ IpIoOpen ( // configure ip
//
if (IpVersion == IP_VERSION_4){
+ //
+ // RawData mode is no supported.
+ //
+ ASSERT (!OpenData->IpConfigData.Ip4CfgData.RawData);
+ if (OpenData->IpConfigData.Ip4CfgData.RawData) {
+ return EFI_UNSUPPORTED;
+ }
+
Status = IpIo->Ip.Ip4->Configure (
IpIo->Ip.Ip4,
&OpenData->IpConfigData.Ip4CfgData
diff --git a/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c b/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c index e1d72f3..4f7126d 100644 --- a/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c +++ b/MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.c @@ -1,7 +1,7 @@ /** @file
Help functions to access UDP service, it is used by both the DHCP and MTFTP.
-Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at<BR>
@@ -215,6 +215,12 @@ UdpIoOnDgramRcvdDpc ( // Build a NET_BUF from the UDP receive data, then deliver it up.
//
if (RxToken->UdpIo->UdpVersion == UDP_IO_UDP4_VERSION) {
+ if (((EFI_UDP4_RECEIVE_DATA *) RxData)->DataLength == 0) {
+ //
+ // Discard zero length data payload packet.
+ //
+ goto Resume;
+ }
Netbuf = NetbufFromExt (
(NET_FRAGMENT *)((EFI_UDP4_RECEIVE_DATA *) RxData)->FragmentTable,
@@ -252,6 +258,12 @@ UdpIoOnDgramRcvdDpc ( EndPoint.LocalAddr.Addr[0] = NTOHL (EndPoint.LocalAddr.Addr[0]);
EndPoint.RemoteAddr.Addr[0] = NTOHL (EndPoint.RemoteAddr.Addr[0]);
} else {
+ if (((EFI_UDP6_RECEIVE_DATA *) RxData)->DataLength == 0) {
+ //
+ // Discard zero length data payload packet.
+ //
+ goto Resume;
+ }
Netbuf = NetbufFromExt (
(NET_FRAGMENT *)((EFI_UDP6_RECEIVE_DATA *) RxData)->FragmentTable,
@@ -291,6 +303,15 @@ UdpIoOnDgramRcvdDpc ( }
RxToken->CallBack (Netbuf, &EndPoint, EFI_SUCCESS, RxToken->Context);
+
+Resume:
+ if (RxToken->UdpIo->UdpVersion == UDP_IO_UDP4_VERSION) {
+ gBS->SignalEvent (((EFI_UDP4_RECEIVE_DATA *) RxData)->RecycleSignal);
+ RxToken->UdpIo->Protocol.Udp4->Receive (RxToken->UdpIo->Protocol.Udp4, &RxToken->Token.Udp4);
+ } else {
+ gBS->SignalEvent (((EFI_UDP6_RECEIVE_DATA *) RxData)->RecycleSignal);
+ RxToken->UdpIo->Protocol.Udp6->Receive (RxToken->UdpIo->Protocol.Udp6, &RxToken->Token.Udp6);
+ }
}
/**
diff --git a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c index 633c3e7..afe4929 100644 --- a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c +++ b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file
The implementation of the ARP protocol.
-Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at<BR>
@@ -112,15 +112,28 @@ ArpOnFrameRcvdDpc ( // Status is EFI_SUCCESS, process the received frame.
//
RxData = RxToken->Packet.RxData;
- Head = (ARP_HEAD *) RxData->PacketData;
+ //
+ // Sanity check.
+ //
+ if (RxData->DataLength < sizeof (ARP_HEAD)) {
+ //
+ // Restart the receiving if packet size is not correct.
+ //
+ goto RESTART_RECEIVE;
+ }
//
// Convert the byte order of the multi-byte fields.
//
+ Head = (ARP_HEAD *) RxData->PacketData;
Head->HwType = NTOHS (Head->HwType);
Head->ProtoType = NTOHS (Head->ProtoType);
Head->OpCode = NTOHS (Head->OpCode);
+ if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) {
+ goto RESTART_RECEIVE;
+ }
+
if ((Head->HwType != ArpService->SnpMode.IfType) ||
(Head->HwAddrLen != ArpService->SnpMode.HwAddressSize) ||
(RxData->ProtocolType != ARP_ETHER_PROTO_TYPE)) {
diff --git a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c index 209127d..11936ad 100644 --- a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c +++ b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c @@ -1,7 +1,7 @@ /** @file
TCP input process routines.
-Copyright (c) 2005 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -711,12 +711,18 @@ TcpInput ( Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
+
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+ goto DISCARD;
+ }
+
Len = Nbuf->TotalSize - (Head->HeadLen << 2);
if ((Head->HeadLen < 5) || (Len < 0) ||
(TcpChecksum (Nbuf, NetPseudoHeadChecksum (Src, Dst, 6, 0)) != 0)) {
- DEBUG ((EFI_D_INFO, "TcpInput: received an mal-formated packet\n"));
+ DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
goto DISCARD;
}
@@ -1423,6 +1429,10 @@ TcpIcmpInput ( BOOLEAN IcmpErrIsHard;
BOOLEAN IcmpErrNotify;
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ goto CLEAN_EXIT;
+ }
+
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
Tcb = TcpLocateTcb (
diff --git a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c index 4f077d6..df95077 100644 --- a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c +++ b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c @@ -1,7 +1,7 @@ /** @file
The implementation of the Udp4 protocol.
-Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -1608,6 +1608,11 @@ Udp4Demultiplex ( EFI_UDP4_SESSION_DATA *Udp4Session;
UINTN Enqueued;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
//
// Get the datagram header from the packet buffer.
//
@@ -1629,6 +1634,7 @@ Udp4Demultiplex ( //
// Wrong checksum.
//
+ NetbufFree (Packet);
return;
}
}
@@ -1797,6 +1803,11 @@ Udp4IcmpHandler ( LIST_ENTRY *Entry;
UDP4_INSTANCE_DATA *Instance;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
Udp4Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Udp4Header != NULL);
|