summaryrefslogtreecommitdiff
path: root/NetworkPkg/Ip6Dxe/Ip6Option.c
AgeCommit message (Collapse)AuthorFilesLines
2024-02-06NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 PatchDoug Flick1-11/+65
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Bug Details: PixieFail Bug #4 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing unknown options in the Destination Options header PixieFail Bug #5 CVE-2023-45233 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite loop when parsing a PadN option in the Destination Options header Change Overview: Most importantly this change corrects the following incorrect math and cleans up the code. > // It is a PadN option > // > - Offset = (UINT8)(Offset + *(Option + Offset + 1) + 2); > + OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; > + Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); > case Ip6OptionSkip: > - Offset = (UINT8)(Offset + *(Option + Offset + 1)); > OptDataLen = ((EFI_IP6_OPTION *)(Option + Offset))->Length; > Offset = IP6_NEXT_OPTION_OFFSET (Offset, OptDataLen); Additionally, this change also corrects incorrect math where the calling function was calculating the HDR EXT optionLen as a uint8 instead of a uint16 > - OptionLen = (UINT8)((*Option + 1) * 8 - 2); > + OptionLen = IP6_HDR_EXT_LEN (*Option) - IP6_COMBINED_SIZE_OF_NEXT_HDR_AND_LEN; Additionally this check adds additional logic to santize the incoming data Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
2024-02-06NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 PatchDoug Flick1-0/+8
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Bug Overview: PixieFail Bug #3 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Out-of-bounds read when handling a ND Redirect message with truncated options Change Overview: Adds a check to prevent truncated options from being parsed + // + // Cannot process truncated options. + // Cannot process options with a length of 0 as there is no Type field. + // + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { + return FALSE; + } Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
2021-12-07NetworkPkg: Apply uncrustify changesMichael Kubacki1-400/+405
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the NetworkPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2020-03-30NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.Maciej Rabeda1-14/+43
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2174 Problem has been identified with Ip6ProcessRouterAdvertise() when Router Advertise packet contains options with malicious/invalid 'Length' field. This can lead to platform entering infinite loop when processing options from that packet. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
2019-10-17NetworkPkg/Ip6Dxe: Fix typo in commentPhilippe Mathieu-Daude1-1/+1
An extra 's' slipped into the 'processing' word. Drop it to fix the typo. Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
2019-04-09NetworkPkg: Replace BSD License with BSD+Patent LicenseMichael D Kinney1-7/+1
https://bugzilla.tianocore.org/show_bug.cgi?id=1373 Replace BSD 2-Clause License with BSD+Patent License. This change is based on the following emails: https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html RFCs with detailed process for the license change: V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
2016-10-26NetworkPkg: Fix typos in commentsGary Lin1-8/+8
- assocated -> associated - malformated -> malformatted - mal-formated -> mal-formatted - formated -> formatted - octects -> octets - responsiblity -> responsibility - enought -> enough - immediatly -> immediately - integar -> integer - Alogrithem -> Algorithm - Initializeion -> Initialization - primelenght -> primelength - Vlaue -> Value - perfoms -> performs - randome -> random - verifed -> verified - finallization -> finalization - Intializes -> Initializes - specifed -> specified - if -> If - Decrption -> Decryption - Autahentication -> Authentication - informatino -> information - alogrithm -> algorithm - Authenticaion -> Authentication - Alogrithem -> Algorithm - containning -> containing - paramter -> parameter Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Gary Lin <glin@suse.com> Reviewed-By: Siyuan Fu <siyuan.fu@intel.com> Reviewed-By: Jiaxin Wu <jiaxin.wu@intel.com>
2010-11-01Add NetworkPkg (P.UDK2010.UP3.Network.P1)hhtian1-0/+758
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10986 6f19259b-4bc3-4df7-8a09-765794883524
generated by cgit v1.1 at 2024-10-03 18:47:28 +0000