Resolved Coverity Issues in UefiPxeBcDxe 1.PxeBcHandleDhcp4Offer Expression "Private->SelectIndex - 1", where "Private->SelectIndex" is known to be equal to 0, underflows the type that receives it. 2.PxeBcDhcp4Discover Directly dereferencing pointer "Token.Packet" which might have NULL .As Token.Packet is checked against NULL in the function Exit line no 1587. 3.PxeBcDns6 Coverity reports dead loop error since IsDone is always false ,In Some scenario it might not update the to true 4.PxeBcHandleDhcp6Offer Expression "Private->SelectIndex - 1", where "Private->SelectIndex" is known to be equal to 0, underflows the type that receives it. 5.PxeBcDhcp6Sarr Potentially overflowing expression "10000000U * DadXmits.DupAddrDetectTransmits" with type "unsigned int" (32 bits, unsigned) 6.PxeBcDriver.c Private Data might be dereferencing the NULL pointer in some scenario.And also private is checked against null in function's Exit. For Example: below code checked private with NULL pointer in PxeBcStart() if (FirstStart && Private != NULL) { FreePool (Private);
Cc: Saloni Kasbekar <saloni.kasbe...@intel.com> Cc: Zachary Clark-williams <zachary.clark-willi...@intel.com> Signed-off-by: SanthoshKumarV <santhoshkum...@ami.com> --- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 8 ++++++-- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 8 +++++--- NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 11 +++++++++-- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c index 91146b78cb..cfb7fe2301 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c @@ -1024,9 +1024,11 @@ PxeBcHandleDhcp4Offer ( EFI_STATUS Status; EFI_PXE_BASE_CODE_MODE *Mode; EFI_DHCP4_PACKET *Ack; + SelectIndex = 0; ASSERT (Private->SelectIndex > 0); - SelectIndex = (UINT32)(Private->SelectIndex - 1); + if (Private->SelectIndex > 0) + SelectIndex = (UINT32)(Private->SelectIndex - 1); ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM); Cache4 = &Private->OfferBuffer[SelectIndex].Dhcp4; Options = Cache4->OptList; @@ -1455,7 +1457,9 @@ PxeBcDhcp4Discover ( if (EFI_ERROR (Status)) { return Status; } - + if (Token.Packet == NULL) { + return EFI_NOT_FOUND; + } if (Mode->SendGUID) { if (EFI_ERROR (NetLibGetSystemGuid ((EFI_GUID *)Token.Packet->Dhcp4.Header.ClientHwAddr))) { // diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c index 7fd1281c11..11c89bcaa0 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c @@ -293,8 +293,7 @@ PxeBcDns6 ( if (EFI_ERROR (Status)) { goto Exit; } - - while (!IsDone) { + while (!IsDone && (Dns6->Poll != NULL)) { Dns6->Poll (Dns6); } @@ -1422,9 +1421,12 @@ PxeBcHandleDhcp6Offer ( UINT32 ProxyIndex; UINT32 SelectIndex; UINT32 Index; + SelectIndex = 0; ASSERT (Private != NULL); ASSERT (Private->SelectIndex > 0); + if (Private->SelectIndex > 0) + SelectIndex = (UINT32)(Private->SelectIndex - 1); SelectIndex = (UINT32)(Private->SelectIndex - 1); ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM); Cache6 = &Private->OfferBuffer[SelectIndex].Dhcp6; @@ -2430,8 +2432,8 @@ PxeBcDhcp6Sarr ( Dhcp6->Configure (Dhcp6, NULL); return Status; } + GetMappingTimeOut = TICKS_PER_SECOND * (UINT64)DadXmits.DupAddrDetectTransmits + PXEBC_DAD_ADDITIONAL_DELAY; - GetMappingTimeOut = TICKS_PER_SECOND * DadXmits.DupAddrDetectTransmits + PXEBC_DAD_ADDITIONAL_DELAY; Status = gBS->SetTimer (Timer, TimerRelative, GetMappingTimeOut); if (EFI_ERROR (Status)) { gBS->CloseEvent (Timer); diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c index d84aca7e85..4d0afd62f3 100644 --- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c +++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c @@ -109,7 +109,9 @@ PxeBcDestroyIp4Children ( ) { ASSERT (Private != NULL); - + if (Private == NULL){ + return; + } if (Private->ArpChild != NULL) { // // Close Arp for PxeBc->Arp and destroy the instance. @@ -291,7 +293,9 @@ PxeBcDestroyIp6Children ( ) { ASSERT (Private != NULL); - + if (Private == NULL){ + return; + } if (Private->Ip6Child != NULL) { // // Close Ip6 for Ip6->Ip6Config and destroy the instance. @@ -561,6 +565,9 @@ PxeBcCreateIp4Children ( PXEBC_PRIVATE_PROTOCOL *Id; EFI_SIMPLE_NETWORK_PROTOCOL *Snp; + if (Private == NULL){ + return EFI_INVALID_PARAMETER; + } if (Private->Ip4Nic != NULL) { // // Already created before. -- 2.42.0.windows.2 -The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118948): https://edk2.groups.io/g/devel/message/118948 Mute This Topic: https://groups.io/mt/106130103/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-