MdeModulePkg: Check received packet size before use it.

[mirror_edk2.git] / MdeModulePkg / Universal / Network / Tcp4Dxe / Tcp4Input.c

diff --git a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c
index 209127d18f7ea49c895b15aaff770fb2ad8ebccd..11936ad7f14e880c4f12e01f0ae95e9774e10bc8 100644 (file)
--- a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c
+++ b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Input.c
@@ -1,7 +1,7 @@
 /** @file\r
   TCP input process routines.\r
 \r
-Copyright (c) 2005 - 2015, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions of the BSD License\r
 which accompanies this distribution.  The full text of the license may be found at\r
@@ -711,12 +711,18 @@ TcpInput (
 \r
   Head    = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);\r
   ASSERT (Head != NULL);\r
+\r
+  if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {\r
+    DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));\r
+    goto DISCARD;\r
+  }\r
+  \r
   Len     = Nbuf->TotalSize - (Head->HeadLen << 2);\r
 \r
   if ((Head->HeadLen < 5) || (Len < 0) ||\r
       (TcpChecksum (Nbuf, NetPseudoHeadChecksum (Src, Dst, 6, 0)) != 0)) {\r
 \r
-    DEBUG ((EFI_D_INFO, "TcpInput: received an mal-formated packet\n"));\r
+    DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));\r
     goto DISCARD;\r
   }\r
 \r
@@ -1423,6 +1429,10 @@ TcpIcmpInput (
   BOOLEAN          IcmpErrIsHard;\r
   BOOLEAN          IcmpErrNotify;\r
 \r
+  if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {\r
+    goto CLEAN_EXIT;\r
+  }\r
+\r
   Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);\r
   ASSERT (Head != NULL);\r
   Tcb = TcpLocateTcb (\r