Resolved Coverity Issues in UefiPxeBcDxe
1.PxeBcHandleDhcp4Offer
Expression "Private->SelectIndex - 1", where "Private->SelectIndex" is known to
be equal to 0, underflows the type that receives it.
2.PxeBcDhcp4Discover
Directly dereferencing pointer "Token.Packet" which might have NULL .As
Token.Packet is checked against NULL in the function Exit line no 1587.
3.PxeBcDns6
Coverity reports dead loop error since IsDone is always false ,In Some scenario
it might not update the to true
4.PxeBcHandleDhcp6Offer
Expression "Private->SelectIndex - 1", where "Private->SelectIndex" is known to
be equal to 0, underflows the type that receives it.
5.PxeBcDhcp6Sarr
Potentially overflowing expression "10000000U *
DadXmits.DupAddrDetectTransmits" with type "unsigned int" (32 bits, unsigned)
6.PxeBcDriver.c
Private Data might be dereferencing the NULL pointer in some scenario.And also
private is checked against null in function's Exit.
For Example: below code checked private with NULL pointer in PxeBcStart()
if (FirstStart && Private != NULL) {
FreePool (Private);
Cc: Saloni Kasbekar <saloni.kasbe...@intel.com>
Cc: Zachary Clark-williams <zachary.clark-willi...@intel.com>
Signed-off-by: SanthoshKumarV <santhoshkum...@ami.com>
---
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 8 ++++++--
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 8 +++++---
NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 11 +++++++++--
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
index 91146b78cb..cfb7fe2301 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
@@ -1024,9 +1024,11 @@ PxeBcHandleDhcp4Offer (
EFI_STATUS Status;
EFI_PXE_BASE_CODE_MODE *Mode;
EFI_DHCP4_PACKET *Ack;
+ SelectIndex = 0;
ASSERT (Private->SelectIndex > 0);
- SelectIndex = (UINT32)(Private->SelectIndex - 1);
+ if (Private->SelectIndex > 0)
+ SelectIndex = (UINT32)(Private->SelectIndex - 1);
ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);
Cache4 = &Private->OfferBuffer[SelectIndex].Dhcp4;
Options = Cache4->OptList;
@@ -1455,7 +1457,9 @@ PxeBcDhcp4Discover (
if (EFI_ERROR (Status)) {
return Status;
}
-
+ if (Token.Packet == NULL) {
+ return EFI_NOT_FOUND;
+ }
if (Mode->SendGUID) {
if (EFI_ERROR (NetLibGetSystemGuid ((EFI_GUID
*)Token.Packet->Dhcp4.Header.ClientHwAddr))) {
//
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
index 7fd1281c11..11c89bcaa0 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -293,8 +293,7 @@ PxeBcDns6 (
if (EFI_ERROR (Status)) {
goto Exit;
}
-
- while (!IsDone) {
+ while (!IsDone && (Dns6->Poll != NULL)) {
Dns6->Poll (Dns6);
}
@@ -1422,9 +1421,12 @@ PxeBcHandleDhcp6Offer (
UINT32 ProxyIndex;
UINT32 SelectIndex;
UINT32 Index;
+ SelectIndex = 0;
ASSERT (Private != NULL);
ASSERT (Private->SelectIndex > 0);
+ if (Private->SelectIndex > 0)
+ SelectIndex = (UINT32)(Private->SelectIndex - 1);
SelectIndex = (UINT32)(Private->SelectIndex - 1);
ASSERT (SelectIndex < PXEBC_OFFER_MAX_NUM);
Cache6 = &Private->OfferBuffer[SelectIndex].Dhcp6;
@@ -2430,8 +2432,8 @@ PxeBcDhcp6Sarr (
Dhcp6->Configure (Dhcp6, NULL);
return Status;
}
+ GetMappingTimeOut = TICKS_PER_SECOND *
(UINT64)DadXmits.DupAddrDetectTransmits + PXEBC_DAD_ADDITIONAL_DELAY;
- GetMappingTimeOut = TICKS_PER_SECOND * DadXmits.DupAddrDetectTransmits +
PXEBC_DAD_ADDITIONAL_DELAY;
Status = gBS->SetTimer (Timer, TimerRelative,
GetMappingTimeOut);
if (EFI_ERROR (Status)) {
gBS->CloseEvent (Timer);
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
index d84aca7e85..4d0afd62f3 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
@@ -109,7 +109,9 @@ PxeBcDestroyIp4Children (
)
{
ASSERT (Private != NULL);
-
+ if (Private == NULL){
+ return;
+ }
if (Private->ArpChild != NULL) {
//
// Close Arp for PxeBc->Arp and destroy the instance.
@@ -291,7 +293,9 @@ PxeBcDestroyIp6Children (
)
{
ASSERT (Private != NULL);
-
+ if (Private == NULL){
+ return;
+ }
if (Private->Ip6Child != NULL) {
//
// Close Ip6 for Ip6->Ip6Config and destroy the instance.
@@ -561,6 +565,9 @@ PxeBcCreateIp4Children (
PXEBC_PRIVATE_PROTOCOL *Id;
EFI_SIMPLE_NETWORK_PROTOCOL *Snp;
+ if (Private == NULL){
+ return EFI_INVALID_PARAMETER;
+ }
if (Private->Ip4Nic != NULL) {
//
// Already created before.
--
2.42.0.windows.2
-The information contained in this message may be confidential and proprietary
to American Megatrends (AMI). This communication is intended to be read only by
the individual or entity to whom it is addressed or by their designee. If the
reader of this message is not the intended recipient, you are on notice that
any distribution of this message, in any form, is strictly prohibited. Please
promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and
then delete or destroy all copies of the transmission.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118948): https://edk2.groups.io/g/devel/message/118948
Mute This Topic: https://groups.io/mt/106130103/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
