Skip to content

Commit 1dbb10c

Browse files
Doug Flick via groups.iomergify[bot]
Doug Flick via groups.io
authored and
mergify[bot]
committed
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 Bug Details: PixieFail Bug #1 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Change Overview: Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking the Inner Option from a DHCP6 Option. > > EFI_STATUS > Dhcp6SeekInnerOptionSafe ( > IN UINT16 IaType, > IN UINT8 *Option, > IN UINT32 OptionLen, > OUT UINT8 **IaInnerOpt, > OUT UINT16 *IaInnerLen > ); > Lots of code cleanup to improve code readability. Cc: Saloni Kasbekar <[email protected]> Cc: Zachary Clark-williams <[email protected]> Signed-off-by: Doug Flick [MSFT] <[email protected]> Reviewed-by: Saloni Kasbekar <[email protected]>
1 parent 5f36581 commit 1dbb10c

File tree

2 files changed

+256
-85
lines changed

2 files changed

+256
-85
lines changed

NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h

+119-19
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,20 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
4545
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S')
4646
#define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I')
4747

48+
#define DHCP6_PACKET_ALL 0
49+
#define DHCP6_PACKET_STATEFUL 1
50+
#define DHCP6_PACKET_STATELESS 2
51+
52+
#define DHCP6_BASE_PACKET_SIZE 1024
53+
54+
#define DHCP6_PORT_CLIENT 546
55+
#define DHCP6_PORT_SERVER 547
56+
57+
#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
58+
59+
#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
60+
#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
61+
4862
//
4963
// For more information on DHCP options see RFC 8415, Section 21.1
5064
//
@@ -59,12 +73,10 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
5973
// | (option-len octets) |
6074
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
6175
//
62-
#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))
63-
#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))
76+
#define DHCP6_SIZE_OF_OPT_CODE (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpCode))
77+
#define DHCP6_SIZE_OF_OPT_LEN (sizeof (((EFI_DHCP6_PACKET_OPTION *)0)->OpLen))
6478

65-
//
6679
// Combined size of Code and Length
67-
//
6880
#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \
6981
DHCP6_SIZE_OF_OPT_LEN)
7082

@@ -73,34 +85,122 @@ STATIC_ASSERT (
7385
"Combined size of Code and Length must be 4 per RFC 8415"
7486
);
7587

76-
//
7788
// Offset to the length is just past the code
78-
//
79-
#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)
89+
#define DHCP6_OFFSET_OF_OPT_LEN(a) (a + DHCP6_SIZE_OF_OPT_CODE)
8090
STATIC_ASSERT (
81-
DHCP6_OPT_LEN_OFFSET (0) == 2,
91+
DHCP6_OFFSET_OF_OPT_LEN (0) == 2,
8292
"Offset of length is + 2 past start of option"
8393
);
8494

85-
#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
95+
#define DHCP6_OFFSET_OF_OPT_DATA(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
8696
STATIC_ASSERT (
87-
DHCP6_OPT_DATA_OFFSET (0) == 4,
97+
DHCP6_OFFSET_OF_OPT_DATA (0) == 4,
8898
"Offset to option data should be +4 from start of option"
8999
);
100+
//
101+
// Identity Association options (both NA (Non-Temporary) and TA (Temporary Association))
102+
// are defined in RFC 8415 and are a deriviation of a TLV stucture
103+
// For more information on IA_NA see Section 21.4
104+
// For more information on IA_TA see Section 21.5
105+
//
106+
//
107+
// The format of IA_NA and IA_TA option:
108+
//
109+
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
110+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
111+
// | OPTION_IA_NA | option-len |
112+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
113+
// | IAID (4 octets) |
114+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
115+
// | T1 (only for IA_NA) |
116+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
117+
// | T2 (only for IA_NA) |
118+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
119+
// | |
120+
// . IA_NA-options/IA_TA-options .
121+
// . .
122+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
123+
//
124+
#define DHCP6_SIZE_OF_IAID (sizeof(UINT32))
125+
#define DHCP6_SIZE_OF_TIME_INTERVAL (sizeof(UINT32))
90126

91-
#define DHCP6_PACKET_ALL 0
92-
#define DHCP6_PACKET_STATEFUL 1
93-
#define DHCP6_PACKET_STATELESS 2
127+
// Combined size of IAID, T1, and T2
128+
#define DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 (DHCP6_SIZE_OF_IAID + \
129+
DHCP6_SIZE_OF_TIME_INTERVAL + \
130+
DHCP6_SIZE_OF_TIME_INTERVAL)
131+
STATIC_ASSERT (
132+
DHCP6_SIZE_OF_COMBINED_IAID_T1_T2 == 12,
133+
"Combined size of IAID, T1, T2 must be 12 per RFC 8415"
134+
);
94135

95-
#define DHCP6_BASE_PACKET_SIZE 1024
136+
// This is the size of IA_TA without options
137+
#define DHCP6_MIN_SIZE_OF_IA_TA (DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
138+
DHCP6_SIZE_OF_IAID)
139+
STATIC_ASSERT (
140+
DHCP6_MIN_SIZE_OF_IA_TA == 8,
141+
"Minimum combined size of IA_TA per RFC 8415"
142+
);
96143

97-
#define DHCP6_PORT_CLIENT 546
98-
#define DHCP6_PORT_SERVER 547
144+
// Offset to a IA_TA inner option
145+
#define DHCP6_OFFSET_OF_IA_TA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_TA)
146+
STATIC_ASSERT (
147+
DHCP6_OFFSET_OF_IA_TA_INNER_OPT (0) == 8,
148+
"Offset of IA_TA Inner option is + 8 past start of option"
149+
);
99150

100-
#define DHCP_CHECK_MEDIA_WAITING_TIME EFI_TIMER_PERIOD_SECONDS(20)
151+
// This is the size of IA_NA without options (16)
152+
#define DHCP6_MIN_SIZE_OF_IA_NA DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
153+
DHCP6_SIZE_OF_COMBINED_IAID_T1_T2
154+
STATIC_ASSERT (
155+
DHCP6_MIN_SIZE_OF_IA_NA == 16,
156+
"Minimum combined size of IA_TA per RFC 8415"
157+
);
101158

102-
#define DHCP6_INSTANCE_FROM_THIS(Instance) CR ((Instance), DHCP6_INSTANCE, Dhcp6, DHCP6_INSTANCE_SIGNATURE)
103-
#define DHCP6_SERVICE_FROM_THIS(Service) CR ((Service), DHCP6_SERVICE, ServiceBinding, DHCP6_SERVICE_SIGNATURE)
159+
#define DHCP6_OFFSET_OF_IA_NA_INNER_OPT(a) (a + DHCP6_MIN_SIZE_OF_IA_NA)
160+
STATIC_ASSERT (
161+
DHCP6_OFFSET_OF_IA_NA_INNER_OPT (0) == 16,
162+
"Offset of IA_NA Inner option is + 16 past start of option"
163+
);
164+
165+
#define DHCP6_OFFSET_OF_IA_NA_T1(a) (a + \
166+
DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + \
167+
DHCP6_SIZE_OF_IAID)
168+
STATIC_ASSERT (
169+
DHCP6_OFFSET_OF_IA_NA_T1 (0) == 8,
170+
"Offset of IA_NA Inner option is + 8 past start of option"
171+
);
172+
173+
#define DHCP6_OFFSET_OF_IA_NA_T2(a) (a + \
174+
DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN +\
175+
DHCP6_SIZE_OF_IAID + \
176+
DHCP6_SIZE_OF_TIME_INTERVAL)
177+
STATIC_ASSERT (
178+
DHCP6_OFFSET_OF_IA_NA_T2 (0) == 12,
179+
"Offset of IA_NA Inner option is + 12 past start of option"
180+
);
181+
182+
//
183+
// For more information see RFC 8415 Section 21.13
184+
//
185+
// The format of the Status Code Option:
186+
//
187+
// 0 1 2 3
188+
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
189+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
190+
// | OPTION_STATUS_CODE | option-len |
191+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
192+
// | status-code | |
193+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
194+
// . .
195+
// . status-message .
196+
// . .
197+
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
198+
//
199+
#define DHCP6_OFFSET_OF_STATUS_CODE(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
200+
STATIC_ASSERT (
201+
DHCP6_OFFSET_OF_STATUS_CODE (0) == 4,
202+
"Offset of status is + 4 past start of option"
203+
);
104204

105205
extern EFI_IPv6_ADDRESS mAllDhcpRelayAndServersAddress;
106206
extern EFI_DHCP6_PROTOCOL gDhcp6ProtocolTemplate;

0 commit comments

Comments
 (0)