From 40696972bffcd5067de02ba6afc19b773e2cfab1 Mon Sep 17 00:00:00 2001
From: Samer El-Haj-Mahmoud <samer.el-haj-mahmoud@hpe.com>
Date: Fri, 12 Feb 2016 07:57:59 +0800
Subject: [PATCH] NetworkPkg: better sanity check on Ipv6 prefix length

Fix a possible buffer overrun issue that could occur if PrefixLength >
128 . Changed == 128 to >= 128. Also remove check for Byte < 16, which
is no longer possible because of the first change.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
---
 NetworkPkg/Ip6Dxe/Ip6Icmp.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/NetworkPkg/Ip6Dxe/Ip6Icmp.c b/NetworkPkg/Ip6Dxe/Ip6Icmp.c
index db40b81d5e..f6a9bb406f 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Icmp.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Icmp.c
@@ -2,7 +2,8 @@
   The ICMPv6 handle routines to process the ICMPv6 control messages.
 
   Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
+  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+  
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -479,7 +480,7 @@ Ip6GetPrefix (
     return ;
   }
 
-  if (PrefixLength == IP6_PREFIX_NUM - 1) {
+  if (PrefixLength >= IP6_PREFIX_NUM - 1) {
     return ;
   }
 
@@ -487,7 +488,7 @@ Ip6GetPrefix (
   Bit   = (UINT8) (PrefixLength % 8);
   Value = Prefix->Addr[Byte];
 
-  if ((Byte > 0) && (Byte < 16)) {
+  if (Byte > 0) {
     ZeroMem (Prefix->Addr + Byte, 16 - Byte);
   }
 
-- 
2.39.2