Blame SOURCES/0070-shim-buffer-overflow-on-ipv6-option-parsing.patch

4210fa
From e253c2a2c07bc526de1528ed9839b2b584025fa2 Mon Sep 17 00:00:00 2001
4210fa
From: Sebastian Krahmer <krahmer@suse.com>
4210fa
Date: Tue, 29 Jul 2014 09:55:00 +0000
4210fa
Subject: [PATCH 70/74] shim buffer overflow on ipv6 option parsing
4210fa
4210fa
---
4210fa
 netboot.c | 102 ++++++++++++++++++++++++++++++++++++++------------------------
4210fa
 1 file changed, 62 insertions(+), 40 deletions(-)
4210fa
4210fa
diff --git a/netboot.c b/netboot.c
4210fa
index 238937d..f884cba 100644
4210fa
--- a/netboot.c
4210fa
+++ b/netboot.c
4210fa
@@ -108,29 +108,34 @@ BOOLEAN findNetboot(EFI_HANDLE device)
4210fa
 
4210fa
 static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt)
4210fa
 {
4210fa
-	void *optr;
4210fa
-	EFI_DHCP6_PACKET_OPTION *option;
4210fa
-	CHAR8 *url;
4210fa
-	UINT32 urllen;
4210fa
+	void *optr = NULL, *end = NULL;
4210fa
+	EFI_DHCP6_PACKET_OPTION *option = NULL;
4210fa
+	CHAR8 *url = NULL;
4210fa
+	UINT32 urllen = 0;
4210fa
 
4210fa
 	optr = pkt->DhcpOptions;
4210fa
+	end = optr + sizeof(pkt->DhcpOptions);
4210fa
 
4210fa
-	for(;;) {
4210fa
+	for (;;) {
4210fa
 		option = (EFI_DHCP6_PACKET_OPTION *)optr;
4210fa
 
4210fa
 		if (ntohs(option->OpCode) == 0)
4210fa
-			return NULL;
4210fa
+			break;
4210fa
 
4210fa
 		if (ntohs(option->OpCode) == 59) {
4210fa
 			/* This is the bootfile url option */
4210fa
 			urllen = ntohs(option->Length);
4210fa
-			url = AllocateZeroPool(urllen+1);
4210fa
+			if ((void *)(option->Data + urllen) > end)
4210fa
+				break;
4210fa
+			url = AllocateZeroPool(urllen + 1);
4210fa
 			if (!url)
4210fa
-				return NULL;
4210fa
+				break;
4210fa
 			memcpy(url, option->Data, urllen);
4210fa
 			return url;
4210fa
 		}
4210fa
 		optr += 4 + ntohs(option->Length);
4210fa
+		if (optr + sizeof(EFI_DHCP6_PACKET_OPTION) > end)
4210fa
+			break;
4210fa
 	}
4210fa
 
4210fa
 	return NULL;
4210fa
@@ -156,45 +161,60 @@ static CHAR16 str2ns(CHAR8 *str)
4210fa
 
4210fa
 static CHAR8 *str2ip6(CHAR8 *str)
4210fa
 {
4210fa
-        UINT8 i, j, p;
4210fa
-	size_t len;
4210fa
-        CHAR8 *a, *b, t;
4210fa
-        static UINT16 ip[8];
4210fa
+	UINT8 i = 0, j = 0, p = 0;
4210fa
+	size_t len = 0, dotcount = 0;
4210fa
+	enum { MAX_IP6_DOTS = 7 };
4210fa
+	CHAR8 *a = NULL, *b = NULL, t = 0;
4210fa
+	static UINT16 ip[8];
4210fa
 
4210fa
-        for(i=0; i < 8; i++) {
4210fa
-                ip[i] = 0;
4210fa
-        }
4210fa
-        len = strlen(str);
4210fa
-        a = b = str;
4210fa
-        for(i=p=0; i < len; i++, b++) {
4210fa
-                if (*b != ':')
4210fa
-                        continue;
4210fa
-                *b = '\0';
4210fa
-                ip[p++] = str2ns(a);
4210fa
-                *b = ':';
4210fa
-                a = b + 1;
4210fa
-                if ( *(b+1) == ':' )
4210fa
-                        break;
4210fa
-        }
4210fa
-        a = b = (str + len);
4210fa
-        for(j=len, p=7; j > i; j--, a--) {
4210fa
-                if (*a != ':')
4210fa
-                        continue;
4210fa
-                t = *b;
4210fa
-                *b = '\0';
4210fa
-                ip[p--] = str2ns(a+1);
4210fa
-                *b = t;
4210fa
-                b = a;
4210fa
-        }
4210fa
-        return (CHAR8 *)ip;
4210fa
+	memset(ip, 0, sizeof(ip));
4210fa
+
4210fa
+	/* Count amount of ':' to prevent overflows.
4210fa
+	 * max. count = 7. Returns an invalid ip6 that
4210fa
+	 * can be checked against
4210fa
+	 */
4210fa
+	for (a = str; *a != 0; ++a) {
4210fa
+		if (*a == ':')
4210fa
+			++dotcount;
4210fa
+	}
4210fa
+	if (dotcount > MAX_IP6_DOTS)
4210fa
+		return (CHAR8 *)ip;
4210fa
+
4210fa
+	len = strlen(str);
4210fa
+	a = b = str;
4210fa
+	for (i = p = 0; i < len; i++, b++) {
4210fa
+		if (*b != ':')
4210fa
+			continue;
4210fa
+		*b = '\0';
4210fa
+		ip[p++] = str2ns(a);
4210fa
+		*b = ':';
4210fa
+		a = b + 1;
4210fa
+		if (b[1] == ':' )
4210fa
+			break;
4210fa
+	}
4210fa
+	a = b = (str + len);
4210fa
+	for (j = len, p = 7; j > i; j--, a--) {
4210fa
+		if (*a != ':')
4210fa
+			continue;
4210fa
+		t = *b;
4210fa
+		*b = '\0';
4210fa
+		ip[p--] = str2ns(a+1);
4210fa
+		*b = t;
4210fa
+		b = a;
4210fa
+	}
4210fa
+	return (CHAR8 *)ip;
4210fa
 }
4210fa
 
4210fa
 static BOOLEAN extract_tftp_info(CHAR8 *url)
4210fa
 {
4210fa
 	CHAR8 *start, *end;
4210fa
 	CHAR8 ip6str[40];
4210fa
+	CHAR8 ip6inv[16];
4210fa
 	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
4210fa
 
4210fa
+	// to check against str2ip6() errors
4210fa
+	memset(ip6inv, 0, sizeof(ip6inv));
4210fa
+
4210fa
 	if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) {
4210fa
 		Print(L"URLS MUST START WITH tftp://\n");
4210fa
 		return FALSE;
4210fa
@@ -209,7 +229,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
4210fa
 	end = start;
4210fa
 	while ((*end != '\0') && (*end != ']')) {
4210fa
 		end++;
4210fa
-		if (end - start > 39) {
4210fa
+		if (end - start >= (int)sizeof(ip6str)) {
4210fa
 			Print(L"TFTP URL includes malformed IPv6 address\n");
4210fa
 			return FALSE;
4210fa
 		}
4210fa
@@ -218,10 +238,12 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
4210fa
 		Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n");
4210fa
 		return FALSE;
4210fa
 	}
4210fa
-	memset(ip6str, 0, 40);
4210fa
+	memset(ip6str, 0, sizeof(ip6str));
4210fa
 	memcpy(ip6str, start, end - start);
4210fa
 	end++;
4210fa
 	memcpy(&tftp_addr.v6, str2ip6(ip6str), 16);
4210fa
+	if (memcmp(&tftp_addr.v6, ip6inv, sizeof(ip6inv)) == 0)
4210fa
+		return FALSE;
4210fa
 	full_path = AllocateZeroPool(strlen(end)+strlen(template)+1);
4210fa
 	if (!full_path)
4210fa
 		return FALSE;
4210fa
-- 
4210fa
1.9.3
4210fa