From 3ab0e3be00cc74b39db482e33bfe923f70768ae4 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 16 Feb 2024 10:48:05 -0500
Subject: [PATCH 17/18] NetworkPkg: Dhcp6Dxe: Packet-Length is not updated
 before appending

RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
RH-Acked-by: Gerd Hoffmann <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Commit: [17/18] c13c96534ecea4c43ca98cecf0789b07680958ca

JIRA: https://issues.redhat.com/browse/RHEL-21841
CVE: CVE-2023-45229
Upstream: Merged

commit 75deaf5c3c0d164c61653258c331151241bb69d8
Author: Doug Flick <dougflick@microsoft.com>
Date:   Tue Feb 13 10:46:02 2024 -0800

    NetworkPkg: Dhcp6Dxe: Packet-Length is not updated before appending

    In order for Dhcp6AppendIaAddrOption (..) to safely append the IA
    Address option, the Packet-Length field must be updated before appending
    the option.

    Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
    Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
    Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
    Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
index e4e0725622..f38e3ee3fe 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
@@ -924,6 +924,11 @@ Dhcp6AppendIaOption (
     *PacketCursor += sizeof (T2);
   }
 
+  //
+  // Update the packet length
+  //
+  Packet->Length += BytesNeeded;
+
   //
   // Fill all the addresses belong to the Ia
   //
@@ -935,11 +940,6 @@ Dhcp6AppendIaOption (
     }
   }
 
-  //
-  // Update the packet length
-  //
-  Packet->Length += BytesNeeded;
-
   //
   // Fill the value of Ia option length
   //
-- 
2.39.3