|
|
4210fa |
From e253c2a2c07bc526de1528ed9839b2b584025fa2 Mon Sep 17 00:00:00 2001
|
|
|
4210fa |
From: Sebastian Krahmer <krahmer@suse.com>
|
|
|
4210fa |
Date: Tue, 29 Jul 2014 09:55:00 +0000
|
|
|
4210fa |
Subject: [PATCH 70/74] shim buffer overflow on ipv6 option parsing
|
|
|
4210fa |
|
|
|
4210fa |
---
|
|
|
4210fa |
netboot.c | 102 ++++++++++++++++++++++++++++++++++++++------------------------
|
|
|
4210fa |
1 file changed, 62 insertions(+), 40 deletions(-)
|
|
|
4210fa |
|
|
|
4210fa |
diff --git a/netboot.c b/netboot.c
|
|
|
4210fa |
index 238937d..f884cba 100644
|
|
|
4210fa |
--- a/netboot.c
|
|
|
4210fa |
+++ b/netboot.c
|
|
|
4210fa |
@@ -108,29 +108,34 @@ BOOLEAN findNetboot(EFI_HANDLE device)
|
|
|
4210fa |
|
|
|
4210fa |
static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt)
|
|
|
4210fa |
{
|
|
|
4210fa |
- void *optr;
|
|
|
4210fa |
- EFI_DHCP6_PACKET_OPTION *option;
|
|
|
4210fa |
- CHAR8 *url;
|
|
|
4210fa |
- UINT32 urllen;
|
|
|
4210fa |
+ void *optr = NULL, *end = NULL;
|
|
|
4210fa |
+ EFI_DHCP6_PACKET_OPTION *option = NULL;
|
|
|
4210fa |
+ CHAR8 *url = NULL;
|
|
|
4210fa |
+ UINT32 urllen = 0;
|
|
|
4210fa |
|
|
|
4210fa |
optr = pkt->DhcpOptions;
|
|
|
4210fa |
+ end = optr + sizeof(pkt->DhcpOptions);
|
|
|
4210fa |
|
|
|
4210fa |
- for(;;) {
|
|
|
4210fa |
+ for (;;) {
|
|
|
4210fa |
option = (EFI_DHCP6_PACKET_OPTION *)optr;
|
|
|
4210fa |
|
|
|
4210fa |
if (ntohs(option->OpCode) == 0)
|
|
|
4210fa |
- return NULL;
|
|
|
4210fa |
+ break;
|
|
|
4210fa |
|
|
|
4210fa |
if (ntohs(option->OpCode) == 59) {
|
|
|
4210fa |
/* This is the bootfile url option */
|
|
|
4210fa |
urllen = ntohs(option->Length);
|
|
|
4210fa |
- url = AllocateZeroPool(urllen+1);
|
|
|
4210fa |
+ if ((void *)(option->Data + urllen) > end)
|
|
|
4210fa |
+ break;
|
|
|
4210fa |
+ url = AllocateZeroPool(urllen + 1);
|
|
|
4210fa |
if (!url)
|
|
|
4210fa |
- return NULL;
|
|
|
4210fa |
+ break;
|
|
|
4210fa |
memcpy(url, option->Data, urllen);
|
|
|
4210fa |
return url;
|
|
|
4210fa |
}
|
|
|
4210fa |
optr += 4 + ntohs(option->Length);
|
|
|
4210fa |
+ if (optr + sizeof(EFI_DHCP6_PACKET_OPTION) > end)
|
|
|
4210fa |
+ break;
|
|
|
4210fa |
}
|
|
|
4210fa |
|
|
|
4210fa |
return NULL;
|
|
|
4210fa |
@@ -156,45 +161,60 @@ static CHAR16 str2ns(CHAR8 *str)
|
|
|
4210fa |
|
|
|
4210fa |
static CHAR8 *str2ip6(CHAR8 *str)
|
|
|
4210fa |
{
|
|
|
4210fa |
- UINT8 i, j, p;
|
|
|
4210fa |
- size_t len;
|
|
|
4210fa |
- CHAR8 *a, *b, t;
|
|
|
4210fa |
- static UINT16 ip[8];
|
|
|
4210fa |
+ UINT8 i = 0, j = 0, p = 0;
|
|
|
4210fa |
+ size_t len = 0, dotcount = 0;
|
|
|
4210fa |
+ enum { MAX_IP6_DOTS = 7 };
|
|
|
4210fa |
+ CHAR8 *a = NULL, *b = NULL, t = 0;
|
|
|
4210fa |
+ static UINT16 ip[8];
|
|
|
4210fa |
|
|
|
4210fa |
- for(i=0; i < 8; i++) {
|
|
|
4210fa |
- ip[i] = 0;
|
|
|
4210fa |
- }
|
|
|
4210fa |
- len = strlen(str);
|
|
|
4210fa |
- a = b = str;
|
|
|
4210fa |
- for(i=p=0; i < len; i++, b++) {
|
|
|
4210fa |
- if (*b != ':')
|
|
|
4210fa |
- continue;
|
|
|
4210fa |
- *b = '\0';
|
|
|
4210fa |
- ip[p++] = str2ns(a);
|
|
|
4210fa |
- *b = ':';
|
|
|
4210fa |
- a = b + 1;
|
|
|
4210fa |
- if ( *(b+1) == ':' )
|
|
|
4210fa |
- break;
|
|
|
4210fa |
- }
|
|
|
4210fa |
- a = b = (str + len);
|
|
|
4210fa |
- for(j=len, p=7; j > i; j--, a--) {
|
|
|
4210fa |
- if (*a != ':')
|
|
|
4210fa |
- continue;
|
|
|
4210fa |
- t = *b;
|
|
|
4210fa |
- *b = '\0';
|
|
|
4210fa |
- ip[p--] = str2ns(a+1);
|
|
|
4210fa |
- *b = t;
|
|
|
4210fa |
- b = a;
|
|
|
4210fa |
- }
|
|
|
4210fa |
- return (CHAR8 *)ip;
|
|
|
4210fa |
+ memset(ip, 0, sizeof(ip));
|
|
|
4210fa |
+
|
|
|
4210fa |
+ /* Count amount of ':' to prevent overflows.
|
|
|
4210fa |
+ * max. count = 7. Returns an invalid ip6 that
|
|
|
4210fa |
+ * can be checked against
|
|
|
4210fa |
+ */
|
|
|
4210fa |
+ for (a = str; *a != 0; ++a) {
|
|
|
4210fa |
+ if (*a == ':')
|
|
|
4210fa |
+ ++dotcount;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
+ if (dotcount > MAX_IP6_DOTS)
|
|
|
4210fa |
+ return (CHAR8 *)ip;
|
|
|
4210fa |
+
|
|
|
4210fa |
+ len = strlen(str);
|
|
|
4210fa |
+ a = b = str;
|
|
|
4210fa |
+ for (i = p = 0; i < len; i++, b++) {
|
|
|
4210fa |
+ if (*b != ':')
|
|
|
4210fa |
+ continue;
|
|
|
4210fa |
+ *b = '\0';
|
|
|
4210fa |
+ ip[p++] = str2ns(a);
|
|
|
4210fa |
+ *b = ':';
|
|
|
4210fa |
+ a = b + 1;
|
|
|
4210fa |
+ if (b[1] == ':' )
|
|
|
4210fa |
+ break;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
+ a = b = (str + len);
|
|
|
4210fa |
+ for (j = len, p = 7; j > i; j--, a--) {
|
|
|
4210fa |
+ if (*a != ':')
|
|
|
4210fa |
+ continue;
|
|
|
4210fa |
+ t = *b;
|
|
|
4210fa |
+ *b = '\0';
|
|
|
4210fa |
+ ip[p--] = str2ns(a+1);
|
|
|
4210fa |
+ *b = t;
|
|
|
4210fa |
+ b = a;
|
|
|
4210fa |
+ }
|
|
|
4210fa |
+ return (CHAR8 *)ip;
|
|
|
4210fa |
}
|
|
|
4210fa |
|
|
|
4210fa |
static BOOLEAN extract_tftp_info(CHAR8 *url)
|
|
|
4210fa |
{
|
|
|
4210fa |
CHAR8 *start, *end;
|
|
|
4210fa |
CHAR8 ip6str[40];
|
|
|
4210fa |
+ CHAR8 ip6inv[16];
|
|
|
4210fa |
CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
|
|
|
4210fa |
|
|
|
4210fa |
+ // to check against str2ip6() errors
|
|
|
4210fa |
+ memset(ip6inv, 0, sizeof(ip6inv));
|
|
|
4210fa |
+
|
|
|
4210fa |
if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) {
|
|
|
4210fa |
Print(L"URLS MUST START WITH tftp://\n");
|
|
|
4210fa |
return FALSE;
|
|
|
4210fa |
@@ -209,7 +229,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
|
|
|
4210fa |
end = start;
|
|
|
4210fa |
while ((*end != '\0') && (*end != ']')) {
|
|
|
4210fa |
end++;
|
|
|
4210fa |
- if (end - start > 39) {
|
|
|
4210fa |
+ if (end - start >= (int)sizeof(ip6str)) {
|
|
|
4210fa |
Print(L"TFTP URL includes malformed IPv6 address\n");
|
|
|
4210fa |
return FALSE;
|
|
|
4210fa |
}
|
|
|
4210fa |
@@ -218,10 +238,12 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
|
|
|
4210fa |
Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n");
|
|
|
4210fa |
return FALSE;
|
|
|
4210fa |
}
|
|
|
4210fa |
- memset(ip6str, 0, 40);
|
|
|
4210fa |
+ memset(ip6str, 0, sizeof(ip6str));
|
|
|
4210fa |
memcpy(ip6str, start, end - start);
|
|
|
4210fa |
end++;
|
|
|
4210fa |
memcpy(&tftp_addr.v6, str2ip6(ip6str), 16);
|
|
|
4210fa |
+ if (memcmp(&tftp_addr.v6, ip6inv, sizeof(ip6inv)) == 0)
|
|
|
4210fa |
+ return FALSE;
|
|
|
4210fa |
full_path = AllocateZeroPool(strlen(end)+strlen(template)+1);
|
|
|
4210fa |
if (!full_path)
|
|
|
4210fa |
return FALSE;
|
|
|
4210fa |
--
|
|
|
4210fa |
1.9.3
|
|
|
4210fa |
|