NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2174 Problem has been identified with Ip6ProcessRouterAdvertise() when Router Advertise packet contains options with malicious/invalid 'Length' field. This can lead to platform entering infinite loop when processing options from that packet. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
author: Maciej Rabeda <maciej.rabeda@linux.intel.com> 2020-03-02 13:25:20 +0100
committer: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2020-03-30 13:13:29 +0000
commit: 9c20342eed70ec99ec50cd73cb81804299f05403 (patch)
tree: 53858f07cfa8eb6dbb59738d537bfd7111e91736 /NetworkPkg/Ip6Dxe/Ip6Nd.h
parent: 3000c2963db319d055f474c394b062af910bbb2f (diff)
download: edk2-9c20342eed70ec99ec50cd73cb81804299f05403.zip
edk2-9c20342eed70ec99ec50cd73cb81804299f05403.tar.gz
edk2-9c20342eed70ec99ec50cd73cb81804299f05403.tar.bz2
1 files changed, 13 insertions, 0 deletions
diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
index 560dfa3..5f1bd6f 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h
@@ -56,12 +56,21 @@ VOID
   VOID                      *Context
   );
 
+typedef struct _IP6_OPTION_HEADER {
+  UINT8                     Type;
+  UINT8                     Length;
+} IP6_OPTION_HEADER;
+
+STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) == 2, "IP6_OPTION_HEADER is expected to be exactly 2 bytes long.");
+
 typedef struct _IP6_ETHE_ADDR_OPTION {
   UINT8                     Type;
   UINT8                     Length;
   UINT8                     EtherAddr[6];
 } IP6_ETHER_ADDR_OPTION;
 
+STATIC_ASSERT (sizeof (IP6_ETHER_ADDR_OPTION) == 8, "IP6_ETHER_ADDR_OPTION is expected to be exactly 8 bytes long.");
+
 typedef struct _IP6_MTU_OPTION {
   UINT8                     Type;
   UINT8                     Length;
@@ -69,6 +78,8 @@ typedef struct _IP6_MTU_OPTION {
   UINT32                    Mtu;
 } IP6_MTU_OPTION;
 
+STATIC_ASSERT (sizeof (IP6_MTU_OPTION) == 8, "IP6_MTU_OPTION is expected to be exactly 8 bytes long.");
+
 typedef struct _IP6_PREFIX_INFO_OPTION {
   UINT8                     Type;
   UINT8                     Length;
@@ -80,6 +91,8 @@ typedef struct _IP6_PREFIX_INFO_OPTION {
   EFI_IPv6_ADDRESS          Prefix;
 } IP6_PREFIX_INFO_OPTION;
 
+STATIC_ASSERT (sizeof (IP6_PREFIX_INFO_OPTION) == 32, "IP6_PREFIX_INFO_OPTION is expected to be exactly 32 bytes long.");
+
 typedef
 VOID
 (*IP6_DAD_CALLBACK) (
author	Maciej Rabeda <maciej.rabeda@linux.intel.com>	2020-03-02 13:25:20 +0100
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>	2020-03-30 13:13:29 +0000
commit	9c20342eed70ec99ec50cd73cb81804299f05403 (patch)
tree	53858f07cfa8eb6dbb59738d537bfd7111e91736 /NetworkPkg/Ip6Dxe/Ip6Nd.h
parent	3000c2963db319d055f474c394b062af910bbb2f (diff)
download	edk2-9c20342eed70ec99ec50cd73cb81804299f05403.zip edk2-9c20342eed70ec99ec50cd73cb81804299f05403.tar.gz edk2-9c20342eed70ec99ec50cd73cb81804299f05403.tar.bz2