Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15
ovmf.17512
ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch of Package ovmf.17512
From f8883eaa02f82c34308cf54dc2d180fcf632819d Mon Sep 17 00:00:00 2001 From: Jiaxin Wu <Jiaxin.wu@intel.com> Date: Mon, 29 Apr 2019 09:51:53 +0800 Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). v3: correct the coding style. v2: correct the commit message & add BZ number. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610 This patch is to check the received package length to make sure the package has a valid length field. Cc: Fu Siyuan <siyuan.fu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> (cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af) NOTE: The path to Ip4Input.c is modified to fit the older edk2. --- .../Universal/Network/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++---- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c index e6943230195c..94e53bf3b72f 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file IP4 input process. -Copyright (c) 2005 - 2017, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved.<BR> (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR> This program and the accompanying materials @@ -717,10 +717,6 @@ Ip4PreProcessPacket ( // // Check if the IP4 header is correctly formatted. // - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { - return EFI_INVALID_PARAMETER; - } - HeadLen = (Head->HeadLen << 2); TotalLen = NTOHS (Head->TotalLen); @@ -814,6 +810,30 @@ Ip4PreProcessPacket ( return EFI_SUCCESS; } +/** + This function checks the IPv4 packet length. + + @param[in] Packet Pointer to the IPv4 Packet to be checked. + + @retval TRUE The input IPv4 packet length is valid. + @retval FALSE The input IPv4 packet length is invalid. + +**/ +BOOLEAN +Ip4IsValidPacketLength ( + IN NET_BUF *Packet + ) +{ + // + // Check the IP4 packet length. + // + if (Packet->TotalSize < IP4_MIN_HEADLEN) { + return FALSE; + } + + return TRUE; +} + /** The IP4 input routine. It is called by the IP4_INTERFACE when a IP4 fragment is received from MNP. @@ -850,6 +870,10 @@ Ip4AccpetFrame ( goto DROP; } + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN; @@ -896,10 +920,14 @@ Ip4AccpetFrame ( // ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { - // Packet may have been changed. Head, HeadLen, TotalLen, and - // info must be reloaded bofore use. The ownership of the packet - // is transfered to the packet process logic. - // + // Packet may have been changed. Head, HeadLen, TotalLen, and + // info must be reloaded before use. The ownership of the packet + // is transferred to the packet process logic. + // + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); Status = Ip4PreProcessPacket ( -- 2.25.0 From 15417f01049acacdd5d15ca1214d91632c5570c2 Mon Sep 17 00:00:00 2001 From: Siyuan Fu <siyuan.fu@intel.com> Date: Fri, 21 Feb 2020 10:14:18 +0800 Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559) REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 This patch triggers the RecycleEvent for invalid ARP packets. Prior to this, we would just ignore invalid ARP packets, and never free them. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Signed-off-by: Nicholas Armour <nicholas.armour@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> (cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8) NOTE: The path to ArpImpl.c is modified to fit the older edk2. --- MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c index a02de203c077..958217f8906e 100644 --- a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c +++ b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file The implementation of the ARP protocol. -Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR> +Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at<BR> @@ -119,7 +119,7 @@ ArpOnFrameRcvdDpc ( // // Restart the receiving if packet size is not correct. // - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } // @@ -131,7 +131,7 @@ ArpOnFrameRcvdDpc ( Head->OpCode = NTOHS (Head->OpCode); if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) { - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } if ((Head->HwType != ArpService->SnpMode.IfType) || -- 2.25.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor