tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MdePkg DevicePathLib: Validate before touch input buffer. 

Current code not validate the input buffer before touch.
it may touch the buffer outside the validate scope. This
patch validate the input size big enough to touch the
first node.

Cc: Ruiyu NI <ruiyu.ni@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
This commit is contained in:
Eric Dong 2016-10-27 11:08:37 +08:00 committed by Star Zeng
parent 1420143f01
commit c0cba3d5dd
1 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
View File

@ -103,17 +103,33 @@ IsDevicePathValid (
ASSERT (DevicePath != NULL); ASSERT (DevicePath != NULL);
if (MaxSize == 0) {
MaxSize = MAX_UINTN;
}
//
// Validate the input size big enough to touch the first node.
//
if (MaxSize < sizeof (EFI_DEVICE_PATH_PROTOCOL)) {
return FALSE;
}
for (Count = 0, Size = 0; !IsDevicePathEnd (DevicePath); DevicePath = NextDevicePathNode (DevicePath)) { for (Count = 0, Size = 0; !IsDevicePathEnd (DevicePath); DevicePath = NextDevicePathNode (DevicePath)) {
NodeLength = DevicePathNodeLength (DevicePath); NodeLength = DevicePathNodeLength (DevicePath);
if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) {
return FALSE; return FALSE;
} }
if (MaxSize > 0) { if (NodeLength > MAX_UINTN - Size) {
Size += NodeLength; return FALSE;
if (Size + END_DEVICE_PATH_LENGTH > MaxSize) { }
return FALSE; Size += NodeLength;
}
//
// Validate next node before touch it.
//
if (Size > MaxSize - END_DEVICE_PATH_LENGTH ) {
return FALSE;
} }
if (PcdGet32 (PcdMaximumDevicePathNodeCount) > 0) { if (PcdGet32 (PcdMaximumDevicePathNodeCount) > 0) {