diff options
| -rw-r--r-- | NetworkPkg/Dhcp6Dxe/Dhcp6Io.c | 6 | ||||
| -rw-r--r-- | NetworkPkg/DnsDxe/DnsImpl.c | 18 | ||||
| -rw-r--r-- | NetworkPkg/TcpDxe/TcpInput.c | 13 | ||||
| -rw-r--r-- | NetworkPkg/Udp6Dxe/Udp6Impl.c | 13 |
4 files changed, 40 insertions, 10 deletions
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c index b4e0007926..d25b9734d8 100644 --- a/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c +++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Io.c @@ -2,7 +2,7 @@ Dhcp6 internal functions implementation.
(C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -2827,6 +2827,10 @@ Dhcp6ReceivePacket ( return ;
}
+ if (Udp6Wrap->TotalSize < sizeof (EFI_DHCP6_HEADER)) {
+ goto ON_CONTINUE;
+ }
+
//
// Copy the net buffer received from upd6 to a Dhcp6 packet.
//
diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c index 19184415e5..4f10e17cf3 100644 --- a/NetworkPkg/DnsDxe/DnsImpl.c +++ b/NetworkPkg/DnsDxe/DnsImpl.c @@ -1615,6 +1615,10 @@ DnsOnPacketReceived ( }
ASSERT (Packet != NULL);
+
+ if (Packet->TotalSize <= sizeof (DNS_HEADER)) {
+ goto ON_EXIT;
+ }
RcvString = NetbufGetByte (Packet, 0, NULL);
ASSERT (RcvString != NULL);
@@ -1624,15 +1628,15 @@ DnsOnPacketReceived ( //
ParseDnsResponse (Instance, RcvString, &Completed);
- ON_EXIT:
+ON_EXIT:
- if (Packet != NULL) {
- NetbufFree (Packet);
- }
+ if (Packet != NULL) {
+ NetbufFree (Packet);
+ }
- if (!Completed) {
- UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);
- }
+ if (!Completed) {
+ UdpIoRecvDatagram (Instance->UdpIo, DnsOnPacketReceived, Instance, 0);
+ }
}
/**
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c index d0118f1d88..745ee4cc6e 100644 --- a/NetworkPkg/TcpDxe/TcpInput.c +++ b/NetworkPkg/TcpDxe/TcpInput.c @@ -1,7 +1,7 @@ /** @file
TCP input process routines.
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -748,11 +748,18 @@ TcpInput ( Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
+
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+ goto DISCARD;
+ }
+
Len = Nbuf->TotalSize - (Head->HeadLen << 2);
if ((Head->HeadLen < 5) || (Len < 0)) {
DEBUG ((EFI_D_INFO, "TcpInput: received a malformed packet\n"));
+
goto DISCARD;
}
@@ -1560,6 +1567,10 @@ TcpIcmpInput ( BOOLEAN IcmpErrIsHard;
BOOLEAN IcmpErrNotify;
+ if (Nbuf->TotalSize < sizeof (TCP_HEAD)) {
+ goto CLEAN_EXIT;
+ }
+
Head = (TCP_HEAD *) NetbufGetByte (Nbuf, 0, NULL);
ASSERT (Head != NULL);
diff --git a/NetworkPkg/Udp6Dxe/Udp6Impl.c b/NetworkPkg/Udp6Dxe/Udp6Impl.c index 40e3aff069..7ed50411c6 100644 --- a/NetworkPkg/Udp6Dxe/Udp6Impl.c +++ b/NetworkPkg/Udp6Dxe/Udp6Impl.c @@ -1,7 +1,7 @@ /** @file
Udp6 driver's whole implementation.
- Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016 Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -1598,6 +1598,11 @@ Udp6Demultiplex ( EFI_UDP6_SESSION_DATA *Udp6Session;
UINTN Enqueued;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
//
// Get the datagram header from the packet buffer.
//
@@ -1619,6 +1624,7 @@ Udp6Demultiplex ( //
// Wrong checksum.
//
+ NetbufFree (Packet);
return;
}
}
@@ -1834,6 +1840,11 @@ Udp6IcmpHandler ( LIST_ENTRY *Entry;
UDP6_INSTANCE_DATA *Instance;
+ if (Packet->TotalSize < sizeof (EFI_UDP_HEADER)) {
+ NetbufFree (Packet);
+ return;
+ }
+
Udp6Header = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, NULL);
ASSERT (Udp6Header != NULL);
|