From 6771c1d65885d7e9a0dd0e5878a41b05df178420 Mon Sep 17 00:00:00 2001
From: Jiaxin Wu <jiaxin.wu@intel.com>
Date: Fri, 24 Jun 2016 15:19:44 +0800
Subject: NetworkPkg: Avoid potential NULL pointer dereference

The commit of 6b16c9e7 removes ASSERT and use error handling
in IpSecDxe driver, but may cause the potential NULL pointer
dereference. So, this patch is used to avoid NULL pointer
dereference.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
---
 NetworkPkg/IpSecDxe/IkePacket.c      |  13 ++-
 NetworkPkg/IpSecDxe/Ikev2/ChildSa.c  |  19 ++--
 NetworkPkg/IpSecDxe/Ikev2/Exchange.c |  10 ++-
 NetworkPkg/IpSecDxe/Ikev2/Payload.c  |   3 +
 NetworkPkg/IpSecDxe/Ikev2/Sa.c       | 163 ++++++++++++++++++++++++++++++++++-
 5 files changed, 194 insertions(+), 14 deletions(-)

(limited to 'NetworkPkg')

diff --git a/NetworkPkg/IpSecDxe/IkePacket.c b/NetworkPkg/IpSecDxe/IkePacket.c
index 8fd395d43f..14dbb9d5d6 100644
--- a/NetworkPkg/IpSecDxe/IkePacket.c
+++ b/NetworkPkg/IpSecDxe/IkePacket.c
@@ -1,7 +1,7 @@
 /** @file
   IKE Packet related operation.
 
-  Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -195,6 +195,9 @@ IkeNetbufFromPacket (
   LIST_ENTRY    *PacketEntry;
   LIST_ENTRY    *Entry;
   IKE_PAYLOAD   *IkePayload;
+  EFI_STATUS    RetStatus;
+
+  RetStatus = EFI_SUCCESS;
 
   if (!IkePacket->IsEncoded) {
     IkePacket->IsEncoded = TRUE;
@@ -203,10 +206,14 @@ IkeNetbufFromPacket (
     // Encryption payloads if needed
     //
     if (((IKEV2_SESSION_COMMON *) SessionCommon)->IkeVer == 2) {
-      Ikev2EncodePacket ((IKEV2_SESSION_COMMON *) SessionCommon, IkePacket, IkeType);
+      RetStatus = Ikev2EncodePacket ((IKEV2_SESSION_COMMON *) SessionCommon, IkePacket, IkeType);
+      if (EFI_ERROR (RetStatus)) {
+        return NULL;
+      }
+      
     } else {
       //
-      //If IKEv1 support, check it here.
+      // If IKEv1 support, check it here.
       //
       return NULL;
     }
diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
index d3859e221d..1f0199b22d 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
@@ -1,7 +1,7 @@
 /** @file
   The operations for Child SA.
 
-  Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -39,18 +39,21 @@ Ikev2CreateChildGenerator (
   IKE_PACKET              *IkePacket;
   IKE_PAYLOAD             *NotifyPayload;
   UINT32                  *MessageId;
+
+  NotifyPayload   = NULL;
+  MessageId       = NULL;
   
   ChildSaSession  = (IKEV2_CHILD_SA_SESSION *) SaSession;
-  IkePacket       = IkePacketAlloc();
-  MessageId       = NULL;
-
-  if (IkePacket == NULL) {
+  if (ChildSaSession == NULL) {
     return NULL;
   }
-  if (ChildSaSession == NULL) {
+    
+  IkePacket       = IkePacketAlloc();
+  if (IkePacket == NULL) {
     return NULL;
   }
 
+
   if (Context != NULL) {
     MessageId = (UINT32 *) Context;
   }
@@ -113,6 +116,10 @@ Ikev2CreateChildGenerator (
                     NULL,
                     0
                     );
+  if (NotifyPayload == NULL) { 
+    IkePacketFree (IkePacket);
+    return NULL;
+  }
                         
   IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);
   //
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
index 9d58ab0a46..1eddbfbcf1 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
@@ -1,7 +1,7 @@
 /** @file
   The general interfaces of the IKEv2.
 
-  Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -495,6 +495,10 @@ Ikev2HandleSa (
             IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
 
     ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
+    if (ChildSaSession == NULL) {
+      goto ON_ERROR;
+    }
+    
     ChildSaCommon  = &ChildSaSession->SessionCommon;
   }
 
@@ -519,6 +523,10 @@ Ikev2HandleSa (
             IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
 
     ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
+    if (ChildSaSession == NULL) {
+      goto ON_ERROR;
+    }
+    
     ChildSaCommon  = &ChildSaSession->SessionCommon;
 
     //
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.c b/NetworkPkg/IpSecDxe/Ikev2/Payload.c
index d5fe1abb55..675ecf6f74 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Payload.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.c
@@ -2558,6 +2558,9 @@ Ikev2EncodePacket (
     // Encrypt all payload and transfer IKE packet header from Host order to Network order.
     //
     Status = Ikev2EncryptPacket (SessionCommon, IkePacket);
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   } else {
     //
     // Fill in the lenght into IkePacket header and transfer Host order to Network order.
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Sa.c b/NetworkPkg/IpSecDxe/Ikev2/Sa.c
index c83d45678b..74ef79c237 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Sa.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Sa.c
@@ -445,6 +445,13 @@ Ikev2AuthPskGenerator (
   IkeSaSession   = (IKEV2_SA_SESSION *) SaSession;
   ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
 
+  IkePacket      = NULL;
+  IdPayload      = NULL;
+  AuthPayload    = NULL;
+  SaPayload      = NULL;
+  TsiPayload     = NULL;
+  TsrPayload     = NULL;
+  NotifyPayload  = NULL;
   CpPayload      = NULL;
   NotifyPayload  = NULL;
   
@@ -488,6 +495,9 @@ Ikev2AuthPskGenerator (
                 &IkeSaSession->SessionCommon,
                 IKEV2_PAYLOAD_TYPE_AUTH
                 );
+  if (IdPayload == NULL) {
+    goto CheckError;
+  }
 
   //
   // 3. Generate Auth Payload
@@ -522,6 +532,14 @@ Ikev2AuthPskGenerator (
                     IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
                     );
     }
+
+     if (CpPayload == NULL) {
+      goto CheckError;
+    }
+  }
+
+  if (AuthPayload == NULL) {
+    goto CheckError;
   }
 
   //
@@ -532,6 +550,9 @@ Ikev2AuthPskGenerator (
                 IKEV2_PAYLOAD_TYPE_TS_INIT,
                 IkeSessionTypeChildSa
                 );
+  if (SaPayload == NULL) {
+    goto CheckError;
+  }
 
   if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
     //
@@ -562,6 +583,9 @@ Ikev2AuthPskGenerator (
                       NULL,
                       0
                       );
+    if (NotifyPayload == NULL) {
+      goto CheckError;
+    }
   } else {
     //
     // Generate Tsr for Tunnel mode.
@@ -578,6 +602,10 @@ Ikev2AuthPskGenerator (
                    );
   }
 
+  if (TsiPayload == NULL || TsrPayload == NULL) {
+    goto CheckError;
+  }
+
   IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);
   IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);
   if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
@@ -591,6 +619,41 @@ Ikev2AuthPskGenerator (
   }
 
   return IkePacket;
+
+CheckError:
+  if (IkePacket != NULL) {
+    IkePacketFree (IkePacket);
+  }
+  
+  if (IdPayload != NULL) {
+    IkePayloadFree (IdPayload);
+  }
+
+  if (AuthPayload != NULL) {
+    IkePayloadFree (AuthPayload);
+  }
+  
+  if (CpPayload != NULL) {
+    IkePayloadFree (CpPayload);
+  }
+
+  if (SaPayload != NULL) {
+    IkePayloadFree (SaPayload);
+  }
+  
+  if (TsiPayload != NULL) {
+    IkePayloadFree (TsiPayload);
+  }
+  
+  if (TsrPayload != NULL) {
+    IkePayloadFree (TsrPayload);
+  }
+  
+  if (NotifyPayload != NULL) {
+    IkePayloadFree (NotifyPayload);
+  }
+  
+  return NULL; 
 }
 
 /**
@@ -800,7 +863,11 @@ Ikev2AuthPskParser (
   //
   // 5. Generate keymats for IPsec protocol.
   //
-  Ikev2GenerateChildSaKeys (ChildSaSession, NULL);
+  Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+  
   if (IkeSaSession->SessionCommon.IsInitiator) {
     //
     // 6. Change the state of IkeSaSession
@@ -934,7 +1001,13 @@ Ikev2AuthCertGenerator (
   IkeSaSession   = (IKEV2_SA_SESSION *) SaSession;
   ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
 
+  IkePacket      = NULL;
+  IdPayload      = NULL;
+  AuthPayload    = NULL;
   CpPayload      = NULL;
+  SaPayload      = NULL;
+  TsiPayload     = NULL;
+  TsrPayload     = NULL;
   NotifyPayload  = NULL;
   CertPayload    = NULL;
   CertReqPayload = NULL;
@@ -981,6 +1054,9 @@ Ikev2AuthCertGenerator (
                 (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),
                 PcdGet32 (PcdIpsecUefiCertificateSize)
                 );
+  if (IdPayload == NULL) {
+    goto CheckError;
+  }
 
   //
   // 3. Generate Certificate Payload
@@ -993,6 +1069,10 @@ Ikev2AuthCertGenerator (
                   IKEV2_CERT_ENCODEING_X509_CERT_SIGN,
                   FALSE
                   );
+  if (CertPayload == NULL) {
+    goto CheckError;
+  }
+  
   if (IkeSaSession->SessionCommon.IsInitiator) {
     CertReqPayload = Ikev2GenerateCertificatePayload (
                        IkeSaSession,
@@ -1002,6 +1082,9 @@ Ikev2AuthCertGenerator (
                        IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,
                        TRUE
                        );
+    if (CertReqPayload == NULL) {
+      goto CheckError;
+    } 
   }
 
   //
@@ -1044,8 +1127,16 @@ Ikev2AuthCertGenerator (
                     IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
                     );
     }
+    
+    if (CpPayload == NULL) {
+      goto CheckError;
+    } 
   }
 
+  if (AuthPayload == NULL) {
+    goto CheckError;
+  }  
+
   //
   // 5. Generate SA Payload according to the Sa Data in ChildSaSession
   //
@@ -1054,6 +1145,9 @@ Ikev2AuthCertGenerator (
                 IKEV2_PAYLOAD_TYPE_TS_INIT,
                 IkeSessionTypeChildSa
                 );
+  if (SaPayload == NULL) {
+    goto CheckError;
+  }
 
   if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
     //
@@ -1084,6 +1178,9 @@ Ikev2AuthCertGenerator (
                       NULL,
                       0
                       );
+    if (NotifyPayload == NULL) {
+      goto CheckError;
+    }
   } else {
     //
     // Generate Tsr for Tunnel mode.
@@ -1100,6 +1197,10 @@ Ikev2AuthCertGenerator (
                    );
   }
 
+  if (TsiPayload == NULL || TsrPayload == NULL) {
+    goto CheckError;
+  }
+
   IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);
   IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertPayload);
   if (IkeSaSession->SessionCommon.IsInitiator) {
@@ -1117,6 +1218,49 @@ Ikev2AuthCertGenerator (
   }
 
   return IkePacket;
+
+CheckError:
+  if (IkePacket != NULL) {
+    IkePacketFree (IkePacket);
+  }
+  
+  if (IdPayload != NULL) {
+    IkePayloadFree (IdPayload);
+  }
+
+  if (CertPayload != NULL) {
+    IkePayloadFree (CertPayload);
+  }
+  
+  if (CertReqPayload != NULL) {
+    IkePayloadFree (CertReqPayload);
+  }
+
+  if (AuthPayload != NULL) {
+    IkePayloadFree (AuthPayload);
+  }
+
+  if (CpPayload != NULL) {
+    IkePayloadFree (CpPayload);
+  }
+  
+  if (SaPayload != NULL) {
+    IkePayloadFree (SaPayload);
+  }
+  
+  if (TsiPayload != NULL) {
+    IkePayloadFree (TsiPayload);
+  }
+  
+  if (TsrPayload != NULL) {
+    IkePayloadFree (TsrPayload);
+  }
+  
+  if (NotifyPayload != NULL) {
+    IkePayloadFree (NotifyPayload);
+  }
+  
+  return NULL; 
 }
 
 /**
@@ -1340,7 +1484,11 @@ Ikev2AuthCertParser (
   //
   // 5. Generat keymats for IPsec protocol.
   //
-  Ikev2GenerateChildSaKeys (ChildSaSession, NULL);
+  Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);
+  if (EFI_ERROR (Status)) {
+    goto Exit;
+  }
+  
   if (IkeSaSession->SessionCommon.IsInitiator) {
     //
     // 6. Change the state of IkeSaSession
@@ -1541,7 +1689,10 @@ Ikev2GenerateSaKeys (
   //
   // Generate Gxy
   //
-  Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer, KePayload);
+  Status = Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer, KePayload);
+  if (EFI_ERROR (Status)) {
+    goto Exit;
+  }
 
   //
   // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
@@ -1843,7 +1994,11 @@ Ikev2GenerateChildSaKeys (
     //
     // Generate Gxy 
     //
-    Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);
+    Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);
+    if (EFI_ERROR (Status)) {
+      goto Exit;
+    }
+    
     Fragments[0].Data     = ChildSaSession->DhBuffer->GxyBuffer;
     Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize;
   }
-- 
cgit v1.2.3