add security check.

[mirror_edk2.git] / MdeModulePkg / Universal / Network / UefiPxeBcDxe / PxeBcDhcp.c

diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c
index 920506b246c5d9c0d45e8f441bd2f7e099419f2f..9b5080f15dbafca09c2be10745f3381ef7f637d7 100644 (file)
--- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c
+++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c
@@ -274,6 +274,7 @@ PxeBcTryBinl (
   PXEBC_CACHED_DHCP4_PACKET *CachedPacket;\r
   EFI_DHCP4_PACKET          *Reply;\r
 \r
+  ASSERT (Index < PXEBC_MAX_OFFER_NUM);\r
   ASSERT (Private->Dhcp4Offers[Index].OfferType == DHCP4_PACKET_TYPE_BINL);\r
 \r
   Offer = &Private->Dhcp4Offers[Index].Packet.Offer;\r
@@ -560,6 +561,7 @@ PxeBcCacheDhcpOffer (
   }\r
 \r
   OfferType = CachedOffer->OfferType;\r
+  ASSERT (OfferType < DHCP4_PACKET_TYPE_MAX);\r
 \r
   if (OfferType == DHCP4_PACKET_TYPE_BOOTP) {\r
 \r
@@ -603,6 +605,7 @@ PxeBcCacheDhcpOffer (
       //\r
       // It's a dhcp offer with your address.\r
       //\r
+      ASSERT (Private->ServerCount[OfferType] < PXEBC_MAX_OFFER_NUM);\r
       Private->OfferIndex[OfferType][Private->ServerCount[OfferType]] = Private->NumOffers;\r
       Private->ServerCount[OfferType]++;\r
     }\r
@@ -1019,9 +1022,15 @@ PxeBcBuildDhcpOptions (
   OptList[Index]->OpCode  = PXEBC_PXE_DHCP4_TAG_UNDI;\r
   OptList[Index]->Length  = sizeof (PXEBC_DHCP4_OPTION_UNDI);\r
   OptEnt.Undi             = (PXEBC_DHCP4_OPTION_UNDI *) OptList[Index]->Data;\r
-  OptEnt.Undi->Type       = Private->Nii->Type;\r
-  OptEnt.Undi->MajorVer   = Private->Nii->MajorVer;\r
-  OptEnt.Undi->MinorVer   = Private->Nii->MinorVer;\r
+  if (Private->Nii != NULL) {\r
+    OptEnt.Undi->Type       = Private->Nii->Type;\r
+    OptEnt.Undi->MajorVer   = Private->Nii->MajorVer;\r
+    OptEnt.Undi->MinorVer   = Private->Nii->MinorVer;\r
+  } else {\r
+    OptEnt.Undi->Type       = DEFAULT_UNDI_TYPE;\r
+    OptEnt.Undi->MajorVer   = DEFAULT_UNDI_MAJOR;\r
+    OptEnt.Undi->MinorVer   = DEFAULT_UNDI_MINOR;\r
+  }\r
 \r
   Index++;\r
   OptList[Index] = GET_NEXT_DHCP_OPTION (OptList[Index - 1]);\r
@@ -1045,9 +1054,16 @@ PxeBcBuildDhcpOptions (
   OptEnt.Clid             = (PXEBC_DHCP4_OPTION_CLID *) OptList[Index]->Data;\r
   CopyMem (OptEnt.Clid, DEFAULT_CLASS_ID_DATA, sizeof (PXEBC_DHCP4_OPTION_CLID));\r
   CvtNum (SYS_ARCH, OptEnt.Clid->ArchitectureType, sizeof (OptEnt.Clid->ArchitectureType));\r
-  CopyMem (OptEnt.Clid->InterfaceName, Private->Nii->StringId, sizeof (OptEnt.Clid->InterfaceName));\r
-  CvtNum (Private->Nii->MajorVer, OptEnt.Clid->UndiMajor, sizeof (OptEnt.Clid->UndiMajor));\r
-  CvtNum (Private->Nii->MinorVer, OptEnt.Clid->UndiMinor, sizeof (OptEnt.Clid->UndiMinor));\r
+\r
+  if (Private->Nii != NULL) {\r
+    // \r
+    // If NII protocol exists, update DHCP option data\r
+    //\r
+    CopyMem (OptEnt.Clid->InterfaceName, Private->Nii->StringId, sizeof (OptEnt.Clid->InterfaceName));\r
+    CvtNum (Private->Nii->MajorVer, OptEnt.Clid->UndiMajor, sizeof (OptEnt.Clid->UndiMajor));\r
+    CvtNum (Private->Nii->MinorVer, OptEnt.Clid->UndiMinor, sizeof (OptEnt.Clid->UndiMinor));\r
+  }\r
+\r
   Index++;\r
 \r
   return Index;\r
@@ -1104,7 +1120,9 @@ PxeBcDiscvBootService (
   UINT8                               VendorOptLen;\r
   CHAR8                               *SystemSerialNumber;\r
   EFI_DHCP4_HEADER                    *DhcpHeader;\r
+  UINT32                              Xid;\r
 \r
+  ASSERT (IsDiscv && (Layer != NULL));\r
 \r
   Mode      = Private->PxeBc.Mode;\r
   Dhcp4     = Private->Dhcp4;\r
@@ -1170,14 +1188,15 @@ PxeBcDiscvBootService (
 \r
     DhcpHeader->HwAddrLen = sizeof (EFI_GUID);\r
   }\r
-\r
-  Token.Packet->Dhcp4.Header.Xid      = NET_RANDOM (NetRandomInitSeed ());\r
-  Token.Packet->Dhcp4.Header.Reserved = (UINT16) ((IsBCast) ? 0xf000 : 0x0);\r
+       \r
+  Xid                                 = NET_RANDOM (NetRandomInitSeed ());\r
+  Token.Packet->Dhcp4.Header.Xid      = HTONL(Xid);\r
+  Token.Packet->Dhcp4.Header.Reserved = HTONS((IsBCast) ? 0x8000 : 0);\r
   CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS));\r
 \r
   Token.RemotePort = Sport;\r
 \r
-  if (DestIp == NULL) {\r
+  if (IsBCast) {\r
     SetMem (&Token.RemoteAddress, sizeof (EFI_IPv4_ADDRESS), 0xff);\r
   } else {\r
     CopyMem (&Token.RemoteAddress, DestIp, sizeof (EFI_IPv4_ADDRESS));\r
@@ -1197,7 +1216,8 @@ PxeBcDiscvBootService (
   //\r
   for (TryIndex = 1; TryIndex <= PXEBC_BOOT_REQUEST_RETRIES; TryIndex++) {\r
 \r
-    Token.TimeoutValue  = PXEBC_BOOT_REQUEST_TIMEOUT * TryIndex;\r
+    Token.TimeoutValue                  = (UINT16) (PXEBC_BOOT_REQUEST_TIMEOUT * TryIndex);\r
+    Token.Packet->Dhcp4.Header.Seconds  = (UINT16) (PXEBC_BOOT_REQUEST_TIMEOUT * (TryIndex - 1));\r
 \r
     Status              = Dhcp4->TransmitReceive (Dhcp4, &Token);\r
 \r
@@ -1701,15 +1721,21 @@ PxeBcSelectBootMenu (
   MenuSize  = VendorOpt->BootMenuLen;\r
   MenuItem  = VendorOpt->BootMenu;\r
 \r
+  if (MenuSize == 0) {\r
+    return EFI_NOT_READY;\r
+  }\r
+\r
   while (MenuSize > 0) {\r
     MenuArray[Index]  = MenuItem;\r
     MenuSize          = (UINT8) (MenuSize - (MenuItem->DescLen + 3));\r
     MenuItem          = (PXEBC_BOOT_MENU_ENTRY *) ((UINT8 *) MenuItem + MenuItem->DescLen + 3);\r
-    Index++;\r
+    if (Index++ > (PXEBC_MAX_MENU_NUM - 1)) {\r
+      break;\r
+    }\r
   }\r
 \r
   if (UseDefaultItem) {\r
-    CopyMem (Type, &MenuArray[0]->Type, sizeof (UINT16));\r
+    *Type = MenuArray[0]->Type;\r
     *Type = NTOHS (*Type);\r
     return EFI_SUCCESS;\r
   }\r