You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1632 lines
46 KiB
1632 lines
46 KiB
From ad79184c7d5d9f95af057b31036167627e92deba Mon Sep 17 00:00:00 2001
|
|
From: Jon Maloy <jmaloy@redhat.com>
|
|
Date: Thu, 8 Feb 2024 10:35:14 -0500
|
|
Subject: [PATCH 01/18] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230
|
|
Patch
|
|
|
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
|
RH-MergeRequest: 54: NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
|
|
RH-Jira: RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853
|
|
RH-Acked-by: Gerd Hoffmann <None>
|
|
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
RH-Commit: [1/18] 0c3dc6f4652f517fcfbe21a5faab4d1eea934f58
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-21843
|
|
CVE: CVE-2023-45230
|
|
Upstream: Merged
|
|
|
|
commit f31453e8d6542461d92d835e0b79fec8b039174d
|
|
Author: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
|
|
Date: Fri Jan 26 05:54:43 2024 +0800
|
|
|
|
NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch
|
|
|
|
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535
|
|
|
|
Bug Details:
|
|
PixieFail Bug #2
|
|
CVE-2023-45230
|
|
CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
|
|
CWE-119 Improper Restriction of Operations within the Bounds
|
|
of a Memory Buffer
|
|
|
|
Changes Overview:
|
|
> -UINT8 *
|
|
> +EFI_STATUS
|
|
> Dhcp6AppendOption (
|
|
> - IN OUT UINT8 *Buf,
|
|
> - IN UINT16 OptType,
|
|
> - IN UINT16 OptLen,
|
|
> - IN UINT8 *Data
|
|
> + IN OUT EFI_DHCP6_PACKET *Packet,
|
|
> + IN OUT UINT8 **PacketCursor,
|
|
> + IN UINT16 OptType,
|
|
> + IN UINT16 OptLen,
|
|
> + IN UINT8 *Data
|
|
> );
|
|
|
|
Dhcp6AppendOption() and variants can return errors now. All callsites
|
|
are adapted accordingly.
|
|
|
|
It gets passed in EFI_DHCP6_PACKET as additional parameter ...
|
|
|
|
> + //
|
|
> + // Verify the PacketCursor is within the packet
|
|
> + //
|
|
> + if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
> + || (*PacketCursor >= Packet->Dhcp6.Option +
|
|
(Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
> + {
|
|
> + return EFI_INVALID_PARAMETER;
|
|
> + }
|
|
|
|
... so it can look at Packet->Size when checking buffer space.
|
|
Also to allow Packet->Length updates.
|
|
|
|
Lots of checks added.
|
|
|
|
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
|
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
|
|
|
|
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
|
|
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
|
|
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
---
|
|
NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h | 43 +++
|
|
NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 409 +++++++++++++++++++----------
|
|
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c | 373 +++++++++++++++++++++-----
|
|
NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h | 82 +++---
|
|
4 files changed, 668 insertions(+), 239 deletions(-)
|
|
|
|
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
|
|
index 0eb9c669b5..f2422c2f28 100644
|
|
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
|
|
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Impl.h
|
|
@@ -45,6 +45,49 @@ typedef struct _DHCP6_INSTANCE DHCP6_INSTANCE;
|
|
#define DHCP6_SERVICE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'S')
|
|
#define DHCP6_INSTANCE_SIGNATURE SIGNATURE_32 ('D', 'H', '6', 'I')
|
|
|
|
+//
|
|
+// For more information on DHCP options see RFC 8415, Section 21.1
|
|
+//
|
|
+// The format of DHCP options is:
|
|
+//
|
|
+// 0 1 2 3
|
|
+// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
+// | option-code | option-len |
|
|
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
+// | option-data |
|
|
+// | (option-len octets) |
|
|
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
+//
|
|
+#define DHCP6_SIZE_OF_OPT_CODE (sizeof(UINT16))
|
|
+#define DHCP6_SIZE_OF_OPT_LEN (sizeof(UINT16))
|
|
+
|
|
+//
|
|
+// Combined size of Code and Length
|
|
+//
|
|
+#define DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN (DHCP6_SIZE_OF_OPT_CODE + \
|
|
+ DHCP6_SIZE_OF_OPT_LEN)
|
|
+
|
|
+STATIC_ASSERT (
|
|
+ DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN == 4,
|
|
+ "Combined size of Code and Length must be 4 per RFC 8415"
|
|
+ );
|
|
+
|
|
+//
|
|
+// Offset to the length is just past the code
|
|
+//
|
|
+#define DHCP6_OPT_LEN_OFFSET(a) (a + DHCP6_SIZE_OF_OPT_CODE)
|
|
+STATIC_ASSERT (
|
|
+ DHCP6_OPT_LEN_OFFSET (0) == 2,
|
|
+ "Offset of length is + 2 past start of option"
|
|
+ );
|
|
+
|
|
+#define DHCP6_OPT_DATA_OFFSET(a) (a + DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN)
|
|
+STATIC_ASSERT (
|
|
+ DHCP6_OPT_DATA_OFFSET (0) == 4,
|
|
+ "Offset to option data should be +4 from start of option"
|
|
+ );
|
|
+
|
|
#define DHCP6_PACKET_ALL 0
|
|
#define DHCP6_PACKET_STATEFUL 1
|
|
#define DHCP6_PACKET_STATELESS 2
|
|
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
|
|
index dcd01e6268..bf5aa7a769 100644
|
|
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
|
|
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c
|
|
@@ -3,9 +3,9 @@
|
|
|
|
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
|
|
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
|
|
+ Copyright (c) Microsoft Corporation
|
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
-
|
|
**/
|
|
|
|
#include "Dhcp6Impl.h"
|
|
@@ -930,7 +930,8 @@ Dhcp6SendSolicitMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;
|
|
@@ -944,54 +945,64 @@ Dhcp6SendSolicitMsg (
|
|
Cursor = Packet->Dhcp6.Option;
|
|
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendIaOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendIaOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance->IaCb.Ia,
|
|
Instance->IaCb.T1,
|
|
Instance->IaCb.T2,
|
|
Packet->Dhcp6.Header.MessageType
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
//
|
|
// Append user-defined when configurate Dhcp6 service.
|
|
//
|
|
for (Index = 0; Index < Instance->Config->OptionCount; Index++) {
|
|
UserOpt = Instance->Config->OptionList[Index];
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
UserOpt->OpCode,
|
|
UserOpt->OpLen,
|
|
UserOpt->Data
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
- //
|
|
- // Determine the size/length of packet.
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
// Callback to user with the packet to be sent and check the user's feedback.
|
|
//
|
|
Status = Dhcp6CallbackUser (Instance, Dhcp6SendSolicit, &Packet);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -1005,10 +1016,8 @@ Dhcp6SendSolicitMsg (
|
|
Instance->StartTime = 0;
|
|
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -1020,6 +1029,14 @@ Dhcp6SendSolicitMsg (
|
|
Elapsed,
|
|
Instance->Config->SolicitRetransmission
|
|
);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
@@ -1110,7 +1127,8 @@ Dhcp6SendRequestMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;
|
|
@@ -1124,51 +1142,67 @@ Dhcp6SendRequestMsg (
|
|
Cursor = Packet->Dhcp6.Option;
|
|
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptServerId),
|
|
ServerId->Length,
|
|
ServerId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendIaOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendIaOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance->IaCb.Ia,
|
|
Instance->IaCb.T1,
|
|
Instance->IaCb.T2,
|
|
Packet->Dhcp6.Header.MessageType
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
//
|
|
// Append user-defined when configurate Dhcp6 service.
|
|
//
|
|
for (Index = 0; Index < Instance->Config->OptionCount; Index++) {
|
|
UserOpt = Instance->Config->OptionList[Index];
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
UserOpt->OpCode,
|
|
UserOpt->OpLen,
|
|
UserOpt->Data
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
- //
|
|
- // Determine the size/length of packet.
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
@@ -1177,8 +1211,7 @@ Dhcp6SendRequestMsg (
|
|
Status = Dhcp6CallbackUser (Instance, Dhcp6SendRequest, &Packet);
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -1194,14 +1227,21 @@ Dhcp6SendRequestMsg (
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
// Enqueue the sent packet for the retransmission in case reply timeout.
|
|
//
|
|
return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
@@ -1266,7 +1306,8 @@ Dhcp6SendDeclineMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE;
|
|
@@ -1280,42 +1321,58 @@ Dhcp6SendDeclineMsg (
|
|
Cursor = Packet->Dhcp6.Option;
|
|
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptServerId),
|
|
ServerId->Length,
|
|
ServerId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendIaOption (Cursor, DecIa, 0, 0, Packet->Dhcp6.Header.MessageType);
|
|
+ Status = Dhcp6AppendIaOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
+ DecIa,
|
|
+ 0,
|
|
+ 0,
|
|
+ Packet->Dhcp6.Header.MessageType
|
|
+ );
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- //
|
|
- // Determine the size/length of packet.
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
// Callback to user with the packet to be sent and check the user's feedback.
|
|
//
|
|
Status = Dhcp6CallbackUser (Instance, Dhcp6SendDecline, &Packet);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -1329,16 +1386,22 @@ Dhcp6SendDeclineMsg (
|
|
Instance->StartTime = 0;
|
|
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
// Enqueue the sent packet for the retransmission in case reply timeout.
|
|
//
|
|
return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
@@ -1399,7 +1462,8 @@ Dhcp6SendReleaseMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE;
|
|
@@ -1413,45 +1477,61 @@ Dhcp6SendReleaseMsg (
|
|
Cursor = Packet->Dhcp6.Option;
|
|
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
//
|
|
// ServerId is extracted from packet, it's network order.
|
|
//
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptServerId),
|
|
ServerId->Length,
|
|
ServerId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendIaOption (Cursor, RelIa, 0, 0, Packet->Dhcp6.Header.MessageType);
|
|
+ Status = Dhcp6AppendIaOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
+ RelIa,
|
|
+ 0,
|
|
+ 0,
|
|
+ Packet->Dhcp6.Header.MessageType
|
|
+ );
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- //
|
|
- // Determine the size/length of packet
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
// Callback to user with the packet to be sent and check the user's feedback.
|
|
//
|
|
Status = Dhcp6CallbackUser (Instance, Dhcp6SendRelease, &Packet);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -1461,16 +1541,22 @@ Dhcp6SendReleaseMsg (
|
|
Instance->IaCb.Ia->State = Dhcp6Releasing;
|
|
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
// Enqueue the sent packet for the retransmission in case reply timeout.
|
|
//
|
|
return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
@@ -1529,7 +1615,8 @@ Dhcp6SendRenewRebindMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;
|
|
@@ -1543,26 +1630,38 @@ Dhcp6SendRenewRebindMsg (
|
|
Cursor = Packet->Dhcp6.Option;
|
|
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendIaOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendIaOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance->IaCb.Ia,
|
|
Instance->IaCb.T1,
|
|
Instance->IaCb.T2,
|
|
Packet->Dhcp6.Header.MessageType
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
if (!RebindRequest) {
|
|
//
|
|
@@ -1578,18 +1677,22 @@ Dhcp6SendRenewRebindMsg (
|
|
Dhcp6OptServerId
|
|
);
|
|
if (Option == NULL) {
|
|
- FreePool (Packet);
|
|
- return EFI_DEVICE_ERROR;
|
|
+ Status = EFI_DEVICE_ERROR;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
ServerId = (EFI_DHCP6_DUID *)(Option + 2);
|
|
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptServerId),
|
|
ServerId->Length,
|
|
ServerId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
//
|
|
@@ -1597,18 +1700,18 @@ Dhcp6SendRenewRebindMsg (
|
|
//
|
|
for (Index = 0; Index < Instance->Config->OptionCount; Index++) {
|
|
UserOpt = Instance->Config->OptionList[Index];
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
UserOpt->OpCode,
|
|
UserOpt->OpLen,
|
|
UserOpt->Data
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
- //
|
|
- // Determine the size/length of packet.
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
@@ -1618,10 +1721,8 @@ Dhcp6SendRenewRebindMsg (
|
|
Event = (RebindRequest) ? Dhcp6EnterRebinding : Dhcp6EnterRenewing;
|
|
|
|
Status = Dhcp6CallbackUser (Instance, Event, &Packet);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -1638,16 +1739,22 @@ Dhcp6SendRenewRebindMsg (
|
|
Instance->StartTime = 0;
|
|
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
// Enqueue the sent packet for the retransmission in case reply timeout.
|
|
//
|
|
return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
@@ -1811,7 +1918,8 @@ Dhcp6SendInfoRequestMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;
|
|
@@ -1828,44 +1936,56 @@ Dhcp6SendInfoRequestMsg (
|
|
|
|
if (SendClientId) {
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
OptionRequest->OpCode,
|
|
OptionRequest->OpLen,
|
|
OptionRequest->Data
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
//
|
|
// Append user-defined when configurate Dhcp6 service.
|
|
//
|
|
for (Index = 0; Index < OptionCount; Index++) {
|
|
UserOpt = OptionList[Index];
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
UserOpt->OpCode,
|
|
UserOpt->OpLen,
|
|
UserOpt->Data
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
- //
|
|
- // Determine the size/length of packet.
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
@@ -1877,16 +1997,22 @@ Dhcp6SendInfoRequestMsg (
|
|
// Send info-request packet with no state.
|
|
//
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
// Enqueue the sent packet for the retransmission in case reply timeout.
|
|
//
|
|
return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, Retransmission);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
@@ -1937,7 +2063,8 @@ Dhcp6SendConfirmMsg (
|
|
//
|
|
Packet = AllocateZeroPool (DHCP6_BASE_PACKET_SIZE + UserLen);
|
|
if (Packet == NULL) {
|
|
- return EFI_OUT_OF_RESOURCES;
|
|
+ Status = EFI_OUT_OF_RESOURCES;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
Packet->Size = DHCP6_BASE_PACKET_SIZE + UserLen;
|
|
@@ -1951,54 +2078,64 @@ Dhcp6SendConfirmMsg (
|
|
Cursor = Packet->Dhcp6.Option;
|
|
|
|
Length = HTONS (ClientId->Length);
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
HTONS (Dhcp6OptClientId),
|
|
Length,
|
|
ClientId->Duid
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendETOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendETOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance,
|
|
&Elapsed
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
- Cursor = Dhcp6AppendIaOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendIaOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
Instance->IaCb.Ia,
|
|
Instance->IaCb.T1,
|
|
Instance->IaCb.T2,
|
|
Packet->Dhcp6.Header.MessageType
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
|
|
//
|
|
// Append user-defined when configurate Dhcp6 service.
|
|
//
|
|
for (Index = 0; Index < Instance->Config->OptionCount; Index++) {
|
|
UserOpt = Instance->Config->OptionList[Index];
|
|
- Cursor = Dhcp6AppendOption (
|
|
- Cursor,
|
|
+ Status = Dhcp6AppendOption (
|
|
+ Packet,
|
|
+ &Cursor,
|
|
UserOpt->OpCode,
|
|
UserOpt->OpLen,
|
|
UserOpt->Data
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ goto ON_ERROR;
|
|
+ }
|
|
}
|
|
|
|
- //
|
|
- // Determine the size/length of packet.
|
|
- //
|
|
- Packet->Length += (UINT32)(Cursor - Packet->Dhcp6.Option);
|
|
ASSERT (Packet->Size > Packet->Length + 8);
|
|
|
|
//
|
|
// Callback to user with the packet to be sent and check the user's feedback.
|
|
//
|
|
Status = Dhcp6CallbackUser (Instance, Dhcp6SendConfirm, &Packet);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
@@ -2012,16 +2149,22 @@ Dhcp6SendConfirmMsg (
|
|
Instance->StartTime = 0;
|
|
|
|
Status = Dhcp6TransmitPacket (Instance, Packet, Elapsed);
|
|
-
|
|
if (EFI_ERROR (Status)) {
|
|
- FreePool (Packet);
|
|
- return Status;
|
|
+ goto ON_ERROR;
|
|
}
|
|
|
|
//
|
|
// Enqueue the sent packet for the retransmission in case reply timeout.
|
|
//
|
|
return Dhcp6EnqueueRetry (Instance, Packet, Elapsed, NULL);
|
|
+
|
|
+ON_ERROR:
|
|
+
|
|
+ if (Packet) {
|
|
+ FreePool (Packet);
|
|
+ }
|
|
+
|
|
+ return Status;
|
|
}
|
|
|
|
/**
|
|
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
|
|
index e6368b5b1c..705c665c51 100644
|
|
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
|
|
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.c
|
|
@@ -577,24 +577,33 @@ Dhcp6OnTransmitted (
|
|
}
|
|
|
|
/**
|
|
- Append the option to Buf, and move Buf to the end.
|
|
+ Append the option to Buf, update the length of packet, and move Buf to the end.
|
|
|
|
- @param[in, out] Buf The pointer to the buffer.
|
|
- @param[in] OptType The option type.
|
|
- @param[in] OptLen The length of option contents.
|
|
- @param[in] Data The pointer to the option content.
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ will be updated.
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
+ @param[in] OptType The option type.
|
|
+ @param[in] OptLen The length of option contents.
|
|
+ @param[in] Data The pointer to the option content.
|
|
|
|
- @return Buf The position to append the next option.
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendOption (
|
|
- IN OUT UINT8 *Buf,
|
|
- IN UINT16 OptType,
|
|
- IN UINT16 OptLen,
|
|
- IN UINT8 *Data
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
+ IN UINT16 OptType,
|
|
+ IN UINT16 OptLen,
|
|
+ IN UINT8 *Data
|
|
)
|
|
{
|
|
+ UINT32 Length;
|
|
+ UINT32 BytesNeeded;
|
|
+
|
|
//
|
|
// The format of Dhcp6 option:
|
|
//
|
|
@@ -607,35 +616,95 @@ Dhcp6AppendOption (
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
//
|
|
|
|
- ASSERT (OptLen != 0);
|
|
+ //
|
|
+ // Verify the arguments are valid
|
|
+ //
|
|
+ if (Packet == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (Data == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (OptLen == 0) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Verify the PacketCursor is within the packet
|
|
+ //
|
|
+ if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
+ {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Calculate the bytes needed for the option
|
|
+ //
|
|
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN + NTOHS (OptLen);
|
|
+
|
|
+ //
|
|
+ // Space remaining in the packet
|
|
+ //
|
|
+ Length = Packet->Size - Packet->Length;
|
|
+ if (Length < BytesNeeded) {
|
|
+ return EFI_BUFFER_TOO_SMALL;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Verify the PacketCursor is within the packet
|
|
+ //
|
|
+ if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
+ {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptType);
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, OptLen);
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
|
|
+ CopyMem (*PacketCursor, Data, NTOHS (OptLen));
|
|
+ *PacketCursor += NTOHS (OptLen);
|
|
|
|
- WriteUnaligned16 ((UINT16 *)Buf, OptType);
|
|
- Buf += 2;
|
|
- WriteUnaligned16 ((UINT16 *)Buf, OptLen);
|
|
- Buf += 2;
|
|
- CopyMem (Buf, Data, NTOHS (OptLen));
|
|
- Buf += NTOHS (OptLen);
|
|
+ // Update the packet length by the length of the option + 4 bytes
|
|
+ Packet->Length += BytesNeeded;
|
|
|
|
- return Buf;
|
|
+ return EFI_SUCCESS;
|
|
}
|
|
|
|
/**
|
|
Append the appointed IA Address option to Buf, and move Buf to the end.
|
|
|
|
- @param[in, out] Buf The pointer to the position to append.
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ will be updated.
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
@param[in] IaAddr The pointer to the IA Address.
|
|
@param[in] MessageType Message type of DHCP6 package.
|
|
|
|
- @return Buf The position to append the next option.
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendIaAddrOption (
|
|
- IN OUT UINT8 *Buf,
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
IN EFI_DHCP6_IA_ADDRESS *IaAddr,
|
|
IN UINT32 MessageType
|
|
)
|
|
{
|
|
+ UINT32 BytesNeeded;
|
|
+ UINT32 Length;
|
|
+
|
|
// The format of the IA Address option is:
|
|
//
|
|
// 0 1 2 3
|
|
@@ -657,17 +726,60 @@ Dhcp6AppendIaAddrOption (
|
|
// . .
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
|
|
+ //
|
|
+ // Verify the arguments are valid
|
|
+ //
|
|
+ if (Packet == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (IaAddr == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Verify the PacketCursor is within the packet
|
|
+ //
|
|
+ if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
+ {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
|
|
+ BytesNeeded += sizeof (EFI_IPv6_ADDRESS);
|
|
+ //
|
|
+ // Even if the preferred-lifetime is 0, it still needs to store it.
|
|
+ //
|
|
+ BytesNeeded += sizeof (IaAddr->PreferredLifetime);
|
|
+ //
|
|
+ // Even if the valid-lifetime is 0, it still needs to store it.
|
|
+ //
|
|
+ BytesNeeded += sizeof (IaAddr->ValidLifetime);
|
|
+
|
|
+ //
|
|
+ // Space remaining in the packet
|
|
+ //
|
|
+ Length = Packet->Size - Packet->Length;
|
|
+ if (Length < BytesNeeded) {
|
|
+ return EFI_BUFFER_TOO_SMALL;
|
|
+ }
|
|
+
|
|
//
|
|
// Fill the value of Ia Address option type
|
|
//
|
|
- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptIaAddr));
|
|
- Buf += 2;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptIaAddr));
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
|
|
|
|
- WriteUnaligned16 ((UINT16 *)Buf, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));
|
|
- Buf += 2;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (sizeof (EFI_DHCP6_IA_ADDRESS)));
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
|
|
|
|
- CopyMem (Buf, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));
|
|
- Buf += sizeof (EFI_IPv6_ADDRESS);
|
|
+ CopyMem (*PacketCursor, &IaAddr->IpAddress, sizeof (EFI_IPv6_ADDRESS));
|
|
+ *PacketCursor += sizeof (EFI_IPv6_ADDRESS);
|
|
|
|
//
|
|
// Fill the value of preferred-lifetime and valid-lifetime.
|
|
@@ -675,44 +787,58 @@ Dhcp6AppendIaAddrOption (
|
|
// should set to 0 when initiate a Confirm message.
|
|
//
|
|
if (MessageType != Dhcp6MsgConfirm) {
|
|
- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->PreferredLifetime));
|
|
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->PreferredLifetime));
|
|
}
|
|
|
|
- Buf += 4;
|
|
+ *PacketCursor += sizeof (IaAddr->PreferredLifetime);
|
|
|
|
if (MessageType != Dhcp6MsgConfirm) {
|
|
- WriteUnaligned32 ((UINT32 *)Buf, HTONL (IaAddr->ValidLifetime));
|
|
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (IaAddr->ValidLifetime));
|
|
}
|
|
|
|
- Buf += 4;
|
|
+ *PacketCursor += sizeof (IaAddr->ValidLifetime);
|
|
+
|
|
+ //
|
|
+ // Update the packet length
|
|
+ //
|
|
+ Packet->Length += BytesNeeded;
|
|
|
|
- return Buf;
|
|
+ return EFI_SUCCESS;
|
|
}
|
|
|
|
/**
|
|
Append the appointed Ia option to Buf, and move Buf to the end.
|
|
|
|
- @param[in, out] Buf The pointer to the position to append.
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ will be updated.
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
@param[in] Ia The pointer to the Ia.
|
|
@param[in] T1 The time of T1.
|
|
@param[in] T2 The time of T2.
|
|
@param[in] MessageType Message type of DHCP6 package.
|
|
|
|
- @return Buf The position to append the next Ia option.
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendIaOption (
|
|
- IN OUT UINT8 *Buf,
|
|
- IN EFI_DHCP6_IA *Ia,
|
|
- IN UINT32 T1,
|
|
- IN UINT32 T2,
|
|
- IN UINT32 MessageType
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
+ IN EFI_DHCP6_IA *Ia,
|
|
+ IN UINT32 T1,
|
|
+ IN UINT32 T2,
|
|
+ IN UINT32 MessageType
|
|
)
|
|
{
|
|
- UINT8 *AddrOpt;
|
|
- UINT16 *Len;
|
|
- UINTN Index;
|
|
+ UINT8 *AddrOpt;
|
|
+ UINT16 *Len;
|
|
+ UINTN Index;
|
|
+ UINT32 BytesNeeded;
|
|
+ UINT32 Length;
|
|
+ EFI_STATUS Status;
|
|
|
|
//
|
|
// The format of IA_NA and IA_TA option:
|
|
@@ -733,32 +859,74 @@ Dhcp6AppendIaOption (
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
//
|
|
|
|
+ //
|
|
+ // Verify the arguments are valid
|
|
+ //
|
|
+ if (Packet == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (Ia == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Verify the PacketCursor is within the packet
|
|
+ //
|
|
+ if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
+ {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
|
|
+ BytesNeeded += sizeof (Ia->Descriptor.IaId);
|
|
+ //
|
|
+ // + N for the IA_NA-options/IA_TA-options
|
|
+ // Dhcp6AppendIaAddrOption will need to check the length for each address
|
|
+ //
|
|
+ if (Ia->Descriptor.Type == Dhcp6OptIana) {
|
|
+ BytesNeeded += sizeof (T1) + sizeof (T2);
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Space remaining in the packet
|
|
+ //
|
|
+ Length = (UINT16)(Packet->Size - Packet->Length);
|
|
+ if (Length < BytesNeeded) {
|
|
+ return EFI_BUFFER_TOO_SMALL;
|
|
+ }
|
|
+
|
|
//
|
|
// Fill the value of Ia option type
|
|
//
|
|
- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Ia->Descriptor.Type));
|
|
- Buf += 2;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Ia->Descriptor.Type));
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
|
|
|
|
//
|
|
// Fill the len of Ia option later, keep the pointer first
|
|
//
|
|
- Len = (UINT16 *)Buf;
|
|
- Buf += 2;
|
|
+ Len = (UINT16 *)*PacketCursor;
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
|
|
|
|
//
|
|
// Fill the value of iaid
|
|
//
|
|
- WriteUnaligned32 ((UINT32 *)Buf, HTONL (Ia->Descriptor.IaId));
|
|
- Buf += 4;
|
|
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL (Ia->Descriptor.IaId));
|
|
+ *PacketCursor += sizeof (Ia->Descriptor.IaId);
|
|
|
|
//
|
|
// Fill the value of t1 and t2 if iana, keep it 0xffffffff if no specified.
|
|
//
|
|
if (Ia->Descriptor.Type == Dhcp6OptIana) {
|
|
- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T1 != 0) ? T1 : 0xffffffff));
|
|
- Buf += 4;
|
|
- WriteUnaligned32 ((UINT32 *)Buf, HTONL ((T2 != 0) ? T2 : 0xffffffff));
|
|
- Buf += 4;
|
|
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T1 != 0) ? T1 : 0xffffffff));
|
|
+ *PacketCursor += sizeof (T1);
|
|
+ WriteUnaligned32 ((UINT32 *)*PacketCursor, HTONL ((T2 != 0) ? T2 : 0xffffffff));
|
|
+ *PacketCursor += sizeof (T2);
|
|
}
|
|
|
|
//
|
|
@@ -766,35 +934,51 @@ Dhcp6AppendIaOption (
|
|
//
|
|
for (Index = 0; Index < Ia->IaAddressCount; Index++) {
|
|
AddrOpt = (UINT8 *)Ia->IaAddress + Index * sizeof (EFI_DHCP6_IA_ADDRESS);
|
|
- Buf = Dhcp6AppendIaAddrOption (Buf, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);
|
|
+ Status = Dhcp6AppendIaAddrOption (Packet, PacketCursor, (EFI_DHCP6_IA_ADDRESS *)AddrOpt, MessageType);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ return Status;
|
|
+ }
|
|
}
|
|
|
|
//
|
|
// Fill the value of Ia option length
|
|
//
|
|
- *Len = HTONS ((UINT16)(Buf - (UINT8 *)Len - 2));
|
|
+ *Len = HTONS ((UINT16)(*PacketCursor - (UINT8 *)Len - 2));
|
|
|
|
- return Buf;
|
|
+ //
|
|
+ // Update the packet length
|
|
+ //
|
|
+ Packet->Length += BytesNeeded;
|
|
+
|
|
+ return EFI_SUCCESS;
|
|
}
|
|
|
|
/**
|
|
Append the appointed Elapsed time option to Buf, and move Buf to the end.
|
|
|
|
- @param[in, out] Buf The pointer to the position to append.
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
@param[in] Instance The pointer to the Dhcp6 instance.
|
|
@param[out] Elapsed The pointer to the elapsed time value in
|
|
- the generated packet.
|
|
+ the generated packet.
|
|
|
|
- @return Buf The position to append the next Ia option.
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendETOption (
|
|
- IN OUT UINT8 *Buf,
|
|
- IN DHCP6_INSTANCE *Instance,
|
|
- OUT UINT16 **Elapsed
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
+ IN DHCP6_INSTANCE *Instance,
|
|
+ OUT UINT16 **Elapsed
|
|
)
|
|
{
|
|
+ UINT32 BytesNeeded;
|
|
+ UINT32 Length;
|
|
+
|
|
//
|
|
// The format of elapsed time option:
|
|
//
|
|
@@ -806,27 +990,70 @@ Dhcp6AppendETOption (
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
//
|
|
|
|
+ //
|
|
+ // Verify the arguments are valid
|
|
+ //
|
|
+ if (Packet == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if ((PacketCursor == NULL) || (*PacketCursor == NULL)) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if (Instance == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ if ((Elapsed == NULL)) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Verify the PacketCursor is within the packet
|
|
+ //
|
|
+ if ( (*PacketCursor < Packet->Dhcp6.Option)
|
|
+ || (*PacketCursor >= Packet->Dhcp6.Option + (Packet->Size - sizeof (EFI_DHCP6_HEADER))))
|
|
+ {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ BytesNeeded = DHCP6_SIZE_OF_COMBINED_CODE_AND_LEN;
|
|
+ //
|
|
+ // + 2 for elapsed-time
|
|
+ //
|
|
+ BytesNeeded += sizeof (UINT16);
|
|
+ //
|
|
+ // Space remaining in the packet
|
|
+ //
|
|
+ Length = Packet->Size - Packet->Length;
|
|
+ if (Length < BytesNeeded) {
|
|
+ return EFI_BUFFER_TOO_SMALL;
|
|
+ }
|
|
+
|
|
//
|
|
// Fill the value of elapsed-time option type.
|
|
//
|
|
- WriteUnaligned16 ((UINT16 *)Buf, HTONS (Dhcp6OptElapsedTime));
|
|
- Buf += 2;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (Dhcp6OptElapsedTime));
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_CODE;
|
|
|
|
//
|
|
// Fill the len of elapsed-time option, which is fixed.
|
|
//
|
|
- WriteUnaligned16 ((UINT16 *)Buf, HTONS (2));
|
|
- Buf += 2;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (2));
|
|
+ *PacketCursor += DHCP6_SIZE_OF_OPT_LEN;
|
|
|
|
//
|
|
// Fill in elapsed time value with 0 value for now. The actual value is
|
|
// filled in later just before the packet is transmitted.
|
|
//
|
|
- WriteUnaligned16 ((UINT16 *)Buf, HTONS (0));
|
|
- *Elapsed = (UINT16 *)Buf;
|
|
- Buf += 2;
|
|
+ WriteUnaligned16 ((UINT16 *)*PacketCursor, HTONS (0));
|
|
+ *Elapsed = (UINT16 *)*PacketCursor;
|
|
+ *PacketCursor += sizeof (UINT16);
|
|
|
|
- return Buf;
|
|
+ Packet->Length += BytesNeeded;
|
|
+
|
|
+ return EFI_SUCCESS;
|
|
}
|
|
|
|
/**
|
|
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
|
|
index 046454ff4a..06947f6c1f 100644
|
|
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
|
|
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Utility.h
|
|
@@ -160,69 +160,85 @@ Dhcp6OnTransmitted (
|
|
);
|
|
|
|
/**
|
|
- Append the appointed option to the buf, and move the buf to the end.
|
|
-
|
|
- @param[in, out] Buf The pointer to buffer.
|
|
- @param[in] OptType The option type.
|
|
- @param[in] OptLen The length of option content.s
|
|
- @param[in] Data The pointer to the option content.
|
|
-
|
|
- @return Buf The position to append the next option.
|
|
-
|
|
+ Append the option to Buf, update the length of packet, and move Buf to the end.
|
|
+
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ will be updated.
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
+ @param[in] OptType The option type.
|
|
+ @param[in] OptLen The length of option contents.
|
|
+ @param[in] Data The pointer to the option content.
|
|
+
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendOption (
|
|
- IN OUT UINT8 *Buf,
|
|
- IN UINT16 OptType,
|
|
- IN UINT16 OptLen,
|
|
- IN UINT8 *Data
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
+ IN UINT16 OptType,
|
|
+ IN UINT16 OptLen,
|
|
+ IN UINT8 *Data
|
|
);
|
|
|
|
/**
|
|
- Append the Ia option to Buf, and move Buf to the end.
|
|
-
|
|
- @param[in, out] Buf The pointer to the position to append.
|
|
+ Append the appointed Ia option to Buf, update the Ia option length, and move Buf
|
|
+ to the end of the option.
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ will be updated.
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
@param[in] Ia The pointer to the Ia.
|
|
@param[in] T1 The time of T1.
|
|
@param[in] T2 The time of T2.
|
|
@param[in] MessageType Message type of DHCP6 package.
|
|
|
|
- @return Buf The position to append the next Ia option.
|
|
-
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendIaOption (
|
|
- IN OUT UINT8 *Buf,
|
|
- IN EFI_DHCP6_IA *Ia,
|
|
- IN UINT32 T1,
|
|
- IN UINT32 T2,
|
|
- IN UINT32 MessageType
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
+ IN EFI_DHCP6_IA *Ia,
|
|
+ IN UINT32 T1,
|
|
+ IN UINT32 T2,
|
|
+ IN UINT32 MessageType
|
|
);
|
|
|
|
/**
|
|
Append the appointed Elapsed time option to Buf, and move Buf to the end.
|
|
|
|
- @param[in, out] Buf The pointer to the position to append.
|
|
+ @param[in, out] Packet A pointer to the packet, on success Packet->Length
|
|
+ @param[in, out] PacketCursor The pointer in the packet, on success PacketCursor
|
|
+ will be moved to the end of the option.
|
|
@param[in] Instance The pointer to the Dhcp6 instance.
|
|
@param[out] Elapsed The pointer to the elapsed time value in
|
|
the generated packet.
|
|
|
|
- @return Buf The position to append the next Ia option.
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
|
|
**/
|
|
-UINT8 *
|
|
+EFI_STATUS
|
|
Dhcp6AppendETOption (
|
|
- IN OUT UINT8 *Buf,
|
|
- IN DHCP6_INSTANCE *Instance,
|
|
- OUT UINT16 **Elapsed
|
|
+ IN OUT EFI_DHCP6_PACKET *Packet,
|
|
+ IN OUT UINT8 **PacketCursor,
|
|
+ IN DHCP6_INSTANCE *Instance,
|
|
+ OUT UINT16 **Elapsed
|
|
);
|
|
|
|
/**
|
|
Set the elapsed time based on the given instance and the pointer to the
|
|
elapsed time option.
|
|
|
|
- @param[in] Elapsed The pointer to the position to append.
|
|
- @param[in] Instance The pointer to the Dhcp6 instance.
|
|
+ @retval EFI_INVALID_PARAMETER An argument provided to the function was invalid
|
|
+ @retval EFI_BUFFER_TOO_SMALL The buffer is too small to append the option.
|
|
+ @retval EFI_SUCCESS The option is appended successfully.
|
|
**/
|
|
VOID
|
|
SetElapsedTime (
|
|
--
|
|
2.39.3
|
|
|