From d51f47c8654f44a787d70b675830ebc7a4ea74f6 Mon Sep 17 00:00:00 2001 From: Jon Maloy Date: Thu, 15 Feb 2024 11:51:09 -0500 Subject: [PATCH 06/18] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch RH-Author: Jon Maloy RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853 RH-Acked-by: Gerd Hoffmann RH-Acked-by: Laszlo Ersek RH-Commit: [6/18] 58ad218f1216ac1ea34ca01ef8cc21e207e2eaf2 JIRA: https://issues.redhat.com/browse/RHEL-21845 CVE: CVE-2022-45231 Upstream: Merged commit bbfee34f4188ac00371abe1389ae9c9fb989a0cd Author: Doug Flick Date: Fri Jan 26 05:54:48 2024 +0800 NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Bug Overview: PixieFail Bug #3 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Out-of-bounds read when handling a ND Redirect message with truncated options Change Overview: Adds a check to prevent truncated options from being parsed + // + // Cannot process truncated options. + // Cannot process options with a length of 0 as there is no Type field. + // + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { + return FALSE; + } Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] Reviewed-by: Saloni Kasbekar Signed-off-by: Jon Maloy --- NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 199eea124d..8718d5d875 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -137,6 +137,14 @@ Ip6IsNDOptionValid ( return FALSE; } + // + // Cannot process truncated options. + // Cannot process options with a length of 0 as there is no Type field. + // + if (OptionLen < sizeof (IP6_OPTION_HEADER)) { + return FALSE; + } + Offset = 0; // -- 2.39.3