|
| 1 | +From 4029abaa6248f603007642077ee067131bb1c050 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Madhavan <madavtechy@gmail.com> |
| 3 | +Date: Fri, 14 Mar 2025 14:15:13 -0400 |
| 4 | +Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI |
| 5 | + bz4206 |
| 6 | + |
| 7 | +Used SafeUint32Add to calculate and validate OutTransferLength with |
| 8 | +boundary check in IScsiOnR2TRcvd to avoid integer overflow |
| 9 | + |
| 10 | +Signed-off-by: Madhavan <madavtechy@gmail.com> |
| 11 | +Signed-off-by: rpm-build <rpm-build> |
| 12 | +Upstream-reference: https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda.patch |
| 13 | +--- |
| 14 | + NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++-- |
| 15 | + 1 file changed, 8 insertions(+), 2 deletions(-) |
| 16 | + |
| 17 | +diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c |
| 18 | +index ef58764..fb48e63 100644 |
| 19 | +--- a/NetworkPkg/IScsiDxe/IScsiProto.c |
| 20 | ++++ b/NetworkPkg/IScsiDxe/IScsiProto.c |
| 21 | +@@ -1,7 +1,7 @@ |
| 22 | + /** @file |
| 23 | + The implementation of iSCSI protocol based on RFC3720. |
| 24 | + |
| 25 | +-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR> |
| 26 | ++Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR> |
| 27 | + SPDX-License-Identifier: BSD-2-Clause-Patent |
| 28 | + |
| 29 | + **/ |
| 30 | +@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd ( |
| 31 | + EFI_STATUS Status; |
| 32 | + ISCSI_XFER_CONTEXT *XferContext; |
| 33 | + UINT8 *Data; |
| 34 | ++ UINT32 TransferLength; |
| 35 | + |
| 36 | + R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL); |
| 37 | + if (R2THdr == NULL) { |
| 38 | +@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd ( |
| 39 | + XferContext->Offset = R2THdr->BufferOffset; |
| 40 | + XferContext->DesiredLength = R2THdr->DesiredDataTransferLength; |
| 41 | + |
| 42 | +- if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) || |
| 43 | ++ Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength); |
| 44 | ++ if (EFI_ERROR (Status)) { |
| 45 | ++ return EFI_PROTOCOL_ERROR; |
| 46 | ++ } |
| 47 | ++ |
| 48 | ++ if ((TransferLength > Packet->OutTransferLength) || |
| 49 | + (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength) |
| 50 | + ) |
| 51 | + { |
| 52 | +-- |
| 53 | +2.45.4 |
| 54 | + |
0 commit comments