NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation.

[mirror_edk2.git] / NetworkPkg / Ip6Dxe / Ip6Nd.c

diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c
index 4288ef02dd46df6d1be7f79fd1197b87f91d97b9..fd7f60b2f92c01a036328ed56060ea801604ab2a 100644 (file)
--- a/NetworkPkg/Ip6Dxe/Ip6Nd.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c
@@ -1927,7 +1927,7 @@ Ip6ProcessRouterAdvertise (
   UINT32                    ReachableTime;\r
   UINT32                    RetransTimer;\r
   UINT16                    RouterLifetime;\r
-  UINT16                    Offset;\r
+  UINT32                    Offset;\r
   UINT8                     Type;\r
   UINT8                     Length;\r
   IP6_ETHER_ADDR_OPTION     LinkLayerOption;\r
@@ -2094,10 +2094,11 @@ Ip6ProcessRouterAdvertise (
   //\r
   // The only defined options that may appear are the Source\r
   // Link-Layer Address, Prefix information and MTU options.\r
-  // All included options have a length that is greater than zero.\r
+  // All included options have a length that is greater than zero and\r
+  // fit within the input packet.\r
   //\r
   Offset = 16;\r
-  while (Offset < Head->PayloadLength) {\r
+  while (Offset < (UINT32) Head->PayloadLength) {\r
     NetbufCopy (Packet, Offset, sizeof (UINT8), &Type);\r
     switch (Type) {\r
     case Ip6OptionEtherSource:\r
@@ -2105,9 +2106,12 @@ Ip6ProcessRouterAdvertise (
       // Update the neighbor cache\r
       //\r
       NetbufCopy (Packet, Offset, sizeof (IP6_ETHER_ADDR_OPTION), (UINT8 *) &LinkLayerOption);\r
-      if (LinkLayerOption.Length <= 0) {\r
-        goto Exit;\r
-      }\r
+\r
+      //\r
+      // Option size validity ensured by Ip6IsNDOptionValid().\r
+      //\r
+      ASSERT (LinkLayerOption.Length != 0);\r
+      ASSERT (Offset + (UINT32) LinkLayerOption.Length * 8 >= (UINT32) Head->PayloadLength);\r
 \r
       ZeroMem (&LinkLayerAddress, sizeof (EFI_MAC_ADDRESS));\r
       CopyMem (&LinkLayerAddress, LinkLayerOption.EtherAddr, 6);\r
@@ -2151,13 +2155,17 @@ Ip6ProcessRouterAdvertise (
         }\r
       }\r
 \r
-      Offset = (UINT16) (Offset + (UINT16) LinkLayerOption.Length * 8);\r
+      Offset += (UINT32) LinkLayerOption.Length * 8;\r
       break;\r
     case Ip6OptionPrefixInfo:\r
       NetbufCopy (Packet, Offset, sizeof (IP6_PREFIX_INFO_OPTION), (UINT8 *) &PrefixOption);\r
-      if (PrefixOption.Length != 4) {\r
-        goto Exit;\r
-      }\r
+\r
+      //\r
+      // Option size validity ensured by Ip6IsNDOptionValid().\r
+      //\r
+      ASSERT (PrefixOption.Length == 4);\r
+      ASSERT (Offset + (UINT32) PrefixOption.Length * 8 >= (UINT32) Head->PayloadLength);\r
+\r
       PrefixOption.ValidLifetime     = NTOHL (PrefixOption.ValidLifetime);\r
       PrefixOption.PreferredLifetime = NTOHL (PrefixOption.PreferredLifetime);\r
 \r
@@ -2321,9 +2329,12 @@ Ip6ProcessRouterAdvertise (
       break;\r
     case Ip6OptionMtu:\r
       NetbufCopy (Packet, Offset, sizeof (IP6_MTU_OPTION), (UINT8 *) &MTUOption);\r
-      if (MTUOption.Length != 1) {\r
-        goto Exit;\r
-      }\r
+\r
+      //\r
+      // Option size validity ensured by Ip6IsNDOptionValid().\r
+      //\r
+      ASSERT (MTUOption.Length == 1);\r
+      ASSERT (Offset + (UINT32) MTUOption.Length * 8 >= (UINT32) Head->PayloadLength);\r
 \r
       //\r
       // Use IPv6 minimum link MTU 1280 bytes as the maximum packet size in order\r
@@ -2338,11 +2349,10 @@ Ip6ProcessRouterAdvertise (
       // Silently ignore unrecognized options\r
       //\r
       NetbufCopy (Packet, Offset + sizeof (UINT8), sizeof (UINT8), &Length);\r
-      if (Length <= 0) {\r
-        goto Exit;\r
-      }\r
 \r
-      Offset = (UINT16) (Offset + (UINT16) Length * 8);\r
+      ASSERT (Length != 0);\r
+\r
+      Offset += (UINT32) Length * 8;\r
       break;\r
     }\r
   }\r