From b95e87d6764eb59e0e0814da5f33c4900cab57d4 Mon Sep 17 00:00:00 2001
From: ShenYage <shenyage1@huawei.com>
Date: Fri, 28 Feb 2025 16:04:22 +0800
Subject: [PATCH 1/2] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Relared
 Patch

BUG: Tianocore's EDK2 TCP implementation generates ISNs using fixed
increments from a fixed base value and thus is uceptible to TCP session injection
and session hijack attacks.

This commit is a patch for CVE-2023-45236. Generates ISNs using RngLib to get a high-quality random number.

Signed-off-by: ShenYage <shenyage1@huawei.com>
---
 NetworkPkg/TcpDxe/TcpDxe.inf | 1 +
 NetworkPkg/TcpDxe/TcpMain.h  | 1 +
 NetworkPkg/TcpDxe/TcpMisc.c  | 9 ++++++++-
 NetworkPkg/TcpDxe/TcpTimer.c | 7 ++++++-
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index c0acbdca..9281f908 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -67,6 +67,7 @@
   DpcLib
   NetLib
   IpIoLib
+  RngLib
 
 
 [Protocols]
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
index c0c9b7f4..fc66c00e 100644
--- a/NetworkPkg/TcpDxe/TcpMain.h
+++ b/NetworkPkg/TcpDxe/TcpMain.h
@@ -16,6 +16,7 @@
 #include <Library/IpIoLib.h>
 #include <Library/DevicePathLib.h>
 #include <Library/PrintLib.h>
+#include <Library/RngLib.h>
 
 #include "Socket.h"
 #include "TcpProto.h"
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
index c93212d4..b5e6120d 100644
--- a/NetworkPkg/TcpDxe/TcpMisc.c
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
@@ -516,7 +516,14 @@ TcpGetIss (
   VOID
   )
 {
-  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
+  UINT32  RandomVal;
+
+  if (GetRandomNumber32(&RandomVal)) {
+    mTcpGlobalIss += RandomVal;
+  } else {
+    mTcpGlobalIss += TCP_ISS_INCREMENT_1;
+  }
+
   return mTcpGlobalIss;
 }
 
diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
index 5d2e1249..5c2ba1a1 100644
--- a/NetworkPkg/TcpDxe/TcpTimer.c
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
@@ -481,9 +481,14 @@ TcpTickingDpc (
   LIST_ENTRY  *Next;
   TCP_CB      *Tcb;
   INT16       Index;
+  UINT32          RandomVal;
 
   mTcpTick++;
-  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
+  if (GetRandomNumber32(&RandomVal)) {
+    mTcpGlobalIss += RandomVal;
+  } else {
+    mTcpGlobalIss += TCP_ISS_INCREMENT_2;
+  }
 
   //
   // Don't use LIST_FOR_EACH, which isn't delete safe.
-- 
2.33.0