From 816a19fcd3a2b9a4b32de4613a9e6dc60814ee4f Mon Sep 17 00:00:00 2001
From: adttil <13380049+adttil@user.noreply.gitee.com>
Date: Sat, 24 Feb 2024 14:20:27 +0800
Subject: [PATCH 06/13] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch

Bug Overview:
PixieFail Bug #3
CVE-2023-45231
CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-125 Out-of-bounds Read

Out-of-bounds read when handling a ND Redirect message with truncated
options

Change Overview:

Adds a check to prevent truncated options from being parsed
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type
field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

ref: https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd
Signed-off-by: yexiao yexiao7@huawei.com
---
 NetworkPkg/Ip6Dxe/Ip6Option.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c
index 6b4b029d..5c48006f 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Option.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Option.c
@@ -138,6 +138,14 @@ Ip6IsNDOptionValid (
     return FALSE;
   }
 
+  //
+  // Cannot process truncated options.
+  // Cannot process options with a length of 0 as there is no Type field.
+  //
+  if (OptionLen < sizeof (IP6_OPTION_HEADER)) {
+    return FALSE;
+  }
+
   Offset = 0;
 
   //
-- 
2.33.0