From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Michael Chang <mchang@suse.com>
Cc: grub-devel@gnu.org
Subject: Re: [PATCH 1/3] Added net_bootp6 command
Date: Sun, 19 Apr 2015 11:15:21 +0300 [thread overview]
Message-ID: <20150419111521.039880c4@opensuse.site> (raw)
In-Reply-To: <20150417050427.GA8017@linux-dsax.tai.apac.novell.com>
В Fri, 17 Apr 2015 13:04:27 +0800
Michael Chang <mchang@suse.com> пишет:
> >
> > > +static const struct grub_dhcpv6_option*
> > > +find_dhcpv6_option (const struct grub_net_dhcpv6_packet *packet,
> > > + grub_uint16_t option)
> > > +{
> > > + grub_uint16_t code, len;
> > > + const struct grub_dhcpv6_option *popt;
> > > +
> > > + popt = (const struct grub_dhcpv6_option *)packet->dhcp_options;
> > > + code = grub_be_to_cpu16 (popt->code);
> > > + len = grub_be_to_cpu16 (popt->len);
> > > +
> > > + while (0 != code && option != code)
> >
> > This probably needs upper boundary check in case we are dealing with
> > corrupted packets.
>
>
> Do you mean checking the option length can't exceed netbuff length?
>
Yes (and in all other cases below as well).
> The ( 0!= code ) did certain kind of upper boundary check for me, but
> I know you may disagree that. :)
>
> Btw, in grub-core/net/ip.c::handle_dgram() has checksum for the receiving
> packets, so the corrputed packets wouldn't sneak in easily.
>
Correct checksum just means content was not altered; it does not mean
content was correct to start with.
> > > +
> > > + ip_start = ip_end = NULL;
> > > + ip_start = bootfile_url + grub_strlen(pr);
> > > +
> > > + if (*ip_start != '[')
> > > + ip_start = NULL;
> > > + else
> > > + ip_end = grub_strchr (++ip_start, ']');
> > > +
> > > + if (!ip_start || !ip_end)
> > > + {
> > > + grub_error (GRUB_ERR_IO, N_("IPv6-address not in square brackets"));
> > > + goto cleanup;
> > > + }
> > > +
> >
> > Can bootfile_url contain a name and not IPv6 address? Or is address
> > mandatory?
>
> Yes. The string in URL form is mandatory.
>
I probably was not clear. Must it always be IPv6 address literal as
implied by code or can it be e.g. DNS name?
> > > +struct grub_net_network_level_interface *
> > > +grub_net_configure_by_dhcpv6_reply (const char *name,
> > > + struct grub_net_card *card,
> > > + grub_net_interface_flags_t flags,
> > > + const struct grub_net_dhcpv6_packet *v6,
> > > + grub_size_t size __attribute__ ((unused)),
> > > + int is_def,
> > > + char **device, char **path)
> > > +{
> > > + grub_net_network_level_address_t addr;
> > > + grub_net_network_level_netaddress_t netaddr;
> > > + struct grub_net_network_level_interface *inf;
> > > + const grub_uint8_t *your_ip;
> > > + char *proto;
> > > + char *server_ip;
> > > + char *boot_file;
> > > + grub_net_network_level_address_t *dns;
> > > + grub_uint16_t num_dns;
> > > +
> > > + if (device)
> > > + *device = NULL;
> > > +
> > > + if (path)
> > > + *path = NULL;
> > > +
> > > + if (v6->message_type != DHCPv6_REPLY)
> >
> > Is it really possible? We come here if packet is DHCPv6_REPLY only.
>
> I'm in case some evil firmware to cache some other packets type rather
> than reply (or even junks in it ..).
>
Yes, but what I mean - this function is only called when we already
checked for message_type == DHCPv6_REPLY. So the only reason it can be
different here is physical memory corruption.
next prev parent reply other threads:[~2015-04-19 8:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-15 9:05 [RFC] Support DHCPv6 and UEFI IPv6 PXE Michael Chang
2015-04-15 9:05 ` [PATCH 1/3] Added net_bootp6 command Michael Chang
2015-04-16 14:40 ` Andrei Borzenkov
2015-04-17 5:04 ` Michael Chang
2015-04-19 8:15 ` Andrei Borzenkov [this message]
2015-04-20 3:09 ` Michael Chang
2015-04-20 3:38 ` Andrei Borzenkov
2015-04-15 9:05 ` [PATCH 2/3] UEFI IPv6 PXE support Michael Chang
2015-04-15 9:05 ` [PATCH 3/3] Use UEFI MAC device as default configured by net_bootp6 Michael Chang
2015-04-16 19:58 ` Andrei Borzenkov
2015-04-17 6:41 ` Michael Chang
2015-04-17 9:01 ` Andrei Borzenkov
2015-04-17 9:48 ` [RFC] Support DHCPv6 and UEFI IPv6 PXE Andrei Borzenkov
-- strict thread matches above, loose matches on Subject: below --
2015-05-12 8:49 [PATCH v1] " Michael Chang
2015-05-12 8:49 ` [PATCH 1/3] Added net_bootp6 command Michael Chang
2015-05-15 6:26 ` Andrei Borzenkov
2015-05-15 13:57 ` Michael Chang
2015-05-16 5:42 ` Andrei Borzenkov
2015-05-19 8:42 ` Michael Chang
2015-05-30 7:25 ` Andrei Borzenkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150419111521.039880c4@opensuse.site \
--to=arvidjaar@gmail.com \
--cc=grub-devel@gnu.org \
--cc=mchang@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).