NetworkPkg: Check received packet size before use it.

Arbitrary length of packet may be received from network, including the
packets with zero payload data or malformed protocol header. So the code
much check the actually received data size before using it. For example, in
current edk2 network stack, an zero payload UDP packet may cause the
platform ASSERT in NetbufFromExt() because of the zero fragment number.
This patch update the IpIoLib and UdpIoLib to check and discard the zero
payload data packet to avoid above assert. Some other network drivers are
also updated to check the packet size to guarantee the minimum length of
protocol header is received from upper layer driver.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>

diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
index b4e00079260a2924951b68717290805e3ac22f7b..d25b9734d8de7178c9ff6e648a1efeb0f86db32f 100644 (file)
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
@@ -2,7 +2,7 @@
   Dhcp6 internal functions implementation.\r
 \r
   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>\r
-  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>\r
 \r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
@@ -2827,6 +2827,10 @@ Dhcp6ReceivePacket (
     return ;\r
   }\r
 \r
+  if (Udp6Wrap->TotalSize < sizeof (EFI_DHCP6_HEADER)) {\r
+    goto ON_CONTINUE;\r
+  }\r
+\r
   //\r
   // Copy the net buffer received from upd6 to a Dhcp6 packet.\r
   //\r

diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
index 19184415e5c5d0e0e8d79dfe8f75338239ccd12b..4f10e17cf30ffca63646b355da0857c599dc176b 100644 (file)
--- a/NetworkPkg/DnsDxe/DnsImpl.c
+++ b/NetworkPkg/DnsDxe/DnsImpl.c
@@ -1615,6 +1615,10 @@ DnsOnPacketReceived (
   }\r
 \r
   ASSERT (Packet != NULL);\r
+\r
+  if (Packet->TotalSize <= sizeof (DNS_HEADER)) {\r
+    goto ON_EXIT;\r
+  }\r
   \r
   RcvString = NetbufGetByte (Packet, 0, NULL);\r
   ASSERT (RcvString != NULL);\r
@@ -1624,15 +1628,15 @@ DnsOnPacketReceived (
   //\r
   ParseDnsResponse (Instance, RcvString, &Completed);\r
 \r
-  ON_EXIT:\r
+ON_EXIT:\r
 \r
-    if (Packet != NULL) {\r
-      NetbufFree (Packet);\r
-    }\r
+  if (Packet != NULL) {\r
+    NetbufFree (Packet);\r
+  }\r
 \r
-    if (!Completed) {\r
-      UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);\r
-    }\r
+  if (!Completed) {\r
+    UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);\r
+  }\r
 }\r
 \r
 /**\r

diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
index d0118f1d886d8bd128669047ae066d360ad50f60..745ee4cc6e9990f800550666e7af98bbaac8735a 100644 (file)
--- a/NetworkPkg/TcpDxe/TcpInput.c
+++ b/NetworkPkg/TcpDxe/TcpInput.c
@@ -1,7 +1,7 @@
 /** @file\r
   TCP input process routines.\r
 \r
-  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>\r
 \r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
@@ -748,11 +748,18 @@ TcpInput (
 \r
   Head    = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);\r
   ASSERT (Head != NULL);\r
+  \r
+  if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {\r
+    DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));\r
+    goto DISCARD;\r
+  }\r
+  \r
   Len     = Nbuf->TotalSize - (Head->HeadLen << 2);\r
 \r
   if ((Head->HeadLen < 5) || (Len < 0)) {\r
 \r
     DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));\r
+    \r
     goto DISCARD;\r
   }\r
 \r
@@ -1560,6 +1567,10 @@ TcpIcmpInput (
   BOOLEAN          IcmpErrIsHard;\r
   BOOLEAN          IcmpErrNotify;\r
 \r
+  if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {\r
+    goto CLEAN_EXIT;\r
+  }\r
+  \r
   Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);\r
   ASSERT (Head != NULL);\r
 \r

diff --git a/NetworkPkg/Udp6Dxe/Udp6Impl.c b/NetworkPkg/Udp6Dxe/Udp6Impl.c
index 40e3aff0695fed6a16c6af3abcda7c42ec58b7f0..7ed50411c66b5bff32865117b3c6196598377e68 100644 (file)
--- a/NetworkPkg/Udp6Dxe/Udp6Impl.c
+++ b/NetworkPkg/Udp6Dxe/Udp6Impl.c
@@ -1,7 +1,7 @@
 /** @file\r
   Udp6 driver's whole implementation.\r
 \r
-  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>\r
 \r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
@@ -1598,6 +1598,11 @@ Udp6Demultiplex (
   EFI_UDP6_SESSION_DATA  *Udp6Session;\r
   UINTN                  Enqueued;\r
 \r
+  if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {\r
+    NetbufFree (Packet);\r
+    return;\r
+  }\r
+  \r
   //\r
   // Get the datagram header from the packet buffer.\r
   //\r
@@ -1619,6 +1624,7 @@ Udp6Demultiplex (
       //\r
       // Wrong checksum.\r
       //\r
+      NetbufFree (Packet);\r
       return;\r
     }\r
   }\r
@@ -1834,6 +1840,11 @@ Udp6IcmpHandler (
   LIST_ENTRY             *Entry;\r
   UDP6_INSTANCE_DATA     *Instance;\r
 \r
+  if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {\r
+    NetbufFree (Packet);\r
+    return;\r
+  }\r
+  \r
   Udp6Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL);\r
   ASSERT (Udp6Header != NULL);\r
 \r