tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents 

Add the size check for invalid format detection in AllowedDb,
RevokedDb and TimeStampDb list contents.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
This commit is contained in:
Long Qin 2017-05-03 17:25:48 +08:00
parent de8e4dc4df
commit 76b35710b9
1 changed files with 60 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
SecurityPkg/Pkcs7Verify/Pkcs7VerifyDxe/Pkcs7VerifyDxe.c
View File

@ -5,7 +5,7 @@
verify data signed using PKCS7 structure. The PKCS7 data to be verified must verify data signed using PKCS7 structure. The PKCS7 data to be verified must
be ASN.1 (DER) encoded. be ASN.1 (DER) encoded.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR> Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -802,6 +802,8 @@ VerifyBuffer (
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
EFI_SIGNATURE_LIST *SigList;
UINTN Index;
UINT8 *AttachedData; UINT8 *AttachedData;
UINTN AttachedDataSize; UINTN AttachedDataSize;
UINT8 *DataPtr; UINT8 *DataPtr;
@ -817,6 +819,58 @@ VerifyBuffer (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
//
// Check if any invalid entry format in AllowedDb list contents
//
for (Index = 0; ; Index++) {
SigList = (EFI_SIGNATURE_LIST *)(AllowedDb[Index]);
if (SigList == NULL) {
break;
}
if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
SigList->SignatureHeaderSize +
SigList->SignatureSize) {
return EFI_ABORTED;
}
}
//
// Check if any invalid entry format in RevokedDb list contents
//
if (RevokedDb != NULL) {
for (Index = 0; ; Index++) {
SigList = (EFI_SIGNATURE_LIST *)(RevokedDb[Index]);
if (SigList == NULL) {
break;
}
if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
SigList->SignatureHeaderSize +
SigList->SignatureSize) {
return EFI_ABORTED;
}
}
}
//
// Check if any invalid entry format in TimeStampDb list contents
//
if (TimeStampDb != NULL) {
for (Index = 0; ; Index++) {
SigList = (EFI_SIGNATURE_LIST *)(TimeStampDb[Index]);
if (SigList == NULL) {
break;
}
if (SigList->SignatureListSize < sizeof (EFI_SIGNATURE_LIST) +
SigList->SignatureHeaderSize +
SigList->SignatureSize) {
return EFI_ABORTED;
}
}
}
// //
// Try to retrieve the attached content from PKCS7 signedData // Try to retrieve the attached content from PKCS7 signedData
// //