diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
index eb2a80b64f..ab38013369 100644
--- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
@@ -2,6 +2,7 @@
The implementation of EFI IPv6 Configuration Protocol.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -390,24 +391,9 @@ Ip6ConfigReadConfigData (
);
if (EFI_ERROR (Status) || (UINT16) (~NetblockChecksum ((UINT8 *) Variable, (UINT32) VarSize)) != 0) {
//
- // GetVariable still error or the variable is corrupted.
- // Fall back to the default value.
+ // GetVariable error or the variable is corrupted.
//
- FreePool (Variable);
-
- //
- // Remove the problematic variable and return EFI_NOT_FOUND, a new
- // variable will be set again.
- //
- gRT->SetVariable (
- VarName,
- &gEfiIp6ConfigProtocolGuid,
- IP6_CONFIG_VARIABLE_ATTRIBUTE,
- 0,
- NULL
- );
-
- return EFI_NOT_FOUND;
+ goto Error;
}
//
@@ -432,7 +418,12 @@ Ip6ConfigReadConfigData (
if (!DATA_ATTRIB_SET (DataItem->Attribute, DATA_ATTRIB_SIZE_FIXED)) {
//
// This data item has variable length data.
+ // Check that the length is contained within the variable before allocating.
//
+ if (DataRecord.DataSize > VarSize - DataRecord.Offset) {
+ goto Error;
+ }
+
DataItem->Data.Ptr = AllocatePool (DataRecord.DataSize);
if (DataItem->Data.Ptr == NULL) {
//
@@ -454,6 +445,28 @@ Ip6ConfigReadConfigData (
}
return Status;
+
+Error:
+ //
+ // Fall back to the default value.
+ //
+ if (Variable != NULL) {
+ FreePool (Variable);
+ }
+
+ //
+ // Remove the problematic variable and return EFI_NOT_FOUND, a new
+ // variable will be set again.
+ //
+ gRT->SetVariable (
+ VarName,
+ &gEfiIp6ConfigProtocolGuid,
+ IP6_CONFIG_VARIABLE_ATTRIBUTE,
+ 0,
+ NULL
+ );
+
+ return EFI_NOT_FOUND;
}
/**