From 599c8309a5ece688a704b4f95d9a39de3fd3f81c Mon Sep 17 00:00:00 2001 From: Michael D Kinney Date: Wed, 23 Oct 2024 18:51:22 -0700 Subject: [PATCH] NetworkPkg/Dhcp6Dxe: Fix sanitizer issues * EFI_DHCP6_DUID structure declares Duid[1], so the size of that structure is not large enough to hold an entire Duid. Instead, compute the correct size to allocate an EFI_DHCP6_DUID structure. * Dhcp6AppendOption() takes a length parameter that in network order. Update test cases to make sure a network order length is passed in. A value of 0x0004 was being passed in and was then converted to 0x0400 length and buffer overflow was detected. Signed-off-by: Michael D Kinney --- NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp index 7db253a7b87f..5998d481f65c 100644 --- a/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp +++ b/NetworkPkg/Dhcp6Dxe/GoogleTest/Dhcp6IoGoogleTest.cpp @@ -161,7 +161,7 @@ TEST_F (Dhcp6AppendOptionTest, ValidDataExpectSuccess) { Packet->Length = sizeof (EFI_DHCP6_HEADER); OriginalLength = Packet->Length; - UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (sizeof (EFI_DHCP6_DUID)); + UntrustedDuid = (EFI_DHCP6_DUID *)AllocateZeroPool (OFFSET_OF (EFI_DHCP6_DUID, Duid) + sizeof (Duid)); ASSERT_NE (UntrustedDuid, (EFI_DHCP6_DUID *)NULL); UntrustedDuid->Length = NTOHS (sizeof (Duid)); @@ -763,7 +763,7 @@ TEST_F (Dhcp6SeekStsOptionTest, SeekIATAOptionExpectFail) { Dhcp6SeekStsOptionTest::Packet, &Option, Dhcp6OptStatusCode, - SearchPatternLength, + HTONS (SearchPatternLength), (UINT8 *)&SearchPattern ); ASSERT_EQ (Status, EFI_SUCCESS); @@ -815,7 +815,7 @@ TEST_F (Dhcp6SeekStsOptionTest, SeekIANAOptionExpectSuccess) { Dhcp6SeekStsOptionTest::Packet, &Option, Dhcp6OptStatusCode, - SearchPatternLength, + HTONS (SearchPatternLength), (UINT8 *)&SearchPattern ); ASSERT_EQ (Status, EFI_SUCCESS);