Skip to content

Commit

Permalink
NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch
Browse files Browse the repository at this point in the history 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536

Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Out-of-bounds read when handling a ND Redirect message with truncated
options

Change Overview:

Adds a check to prevent truncated options from being parsed
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type
field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }

Cc: Saloni Kasbekar <[email protected]>
Cc: Zachary Clark-williams <[email protected]>

Signed-off-by: Doug Flick [MSFT] <[email protected]>
Reviewed-by: Saloni Kasbekar <[email protected]>
  • Loading branch information
@Flickdm @mergify
Flickdm authored and mergify[bot] committed Feb 6, 2024
1 parent 0736276 commit bbfee34
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions NetworkPkg/Ip6Dxe/Ip6Option.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,14 @@ Ip6IsNDOptionValid (
return FALSE;
}

//
// Cannot process truncated options.
// Cannot process options with a length of 0 as there is no Type field.
//
if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
return FALSE;
}

Offset = 0;

//
Expand Down

0 comments on commit bbfee34

Please sign in to comment.