From 2673ffb3561be2bc31bbf0a81801c0b88c5b7fbd Mon Sep 17 00:00:00 2001 From: Hao Wu Date: Mon, 13 Jul 2015 01:24:00 +0000 Subject: [PATCH] IntelFrameworkModulePkg DeviceMngr: Potential read over memory boundary This commit will resolve the issue brought by r17738. String = AllocateCopyPool (BufferLen, L"MAC:"); The above using of AllocateCopyPool() will read contents out of the scope of the constant string. Potential risk for the constant string allocated at the boundary of memory region. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu Reviewed-by: Qiu Shumin Reviewed-by: Jeff Fan git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17933 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Universal/BdsDxe/DeviceMngr/DeviceManager.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c index 5da0d470a3..af2b18a047 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c @@ -374,12 +374,13 @@ GetMacAddressString( // The size is the Number size + ":" size + Vlan size(\XXXX) + End // BufferLen = (4 + 2 * HwAddressSize + (HwAddressSize - 1) + 5 + 1) * sizeof (CHAR16); - String = AllocateCopyPool (BufferLen, L"MAC:"); + String = AllocateZeroPool (BufferLen); if (String == NULL) { return FALSE; } *PBuffer = String; + StrCpyS (String, BufferLen / sizeof (CHAR16), L"MAC:"); String += 4; //