mirror of https://github.com/acidanthera/audk.git
54e90edaed
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return condition, but never actually checks whether the decoded buffer fits into the caller-provided room (i.e., the input value of "BinLength"), and EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can overflow "BinBuffer". This is remotely exploitable, as shown in a subsequent patch, which adds error checking to the IScsiHexToBin() call sites. This issue allows the target to compromise the initiator. Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, plus actually catch the buffer overflow. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210608121259.32451-10-lersek@redhat.com> |
||
|---|---|---|
| .. | ||
| ComponentName.c | ||
| IScsiAuthenticationInfo.c | ||
| IScsiCHAP.c | ||
| IScsiCHAP.h | ||
| IScsiConfig.c | ||
| IScsiConfig.h | ||
| IScsiConfigNVDataStruc.h | ||
| IScsiConfigStrings.uni | ||
| IScsiConfigVfr.vfr | ||
| IScsiDhcp.c | ||
| IScsiDhcp.h | ||
| IScsiDhcp6.c | ||
| IScsiDhcp6.h | ||
| IScsiDns.c | ||
| IScsiDns.h | ||
| IScsiDriver.c | ||
| IScsiDriver.h | ||
| IScsiDxe.inf | ||
| IScsiDxe.uni | ||
| IScsiDxeExtra.uni | ||
| IScsiExtScsiPassThru.c | ||
| IScsiIbft.c | ||
| IScsiIbft.h | ||
| IScsiImpl.h | ||
| IScsiInitiatorName.c | ||
| IScsiMisc.c | ||
| IScsiMisc.h | ||
| IScsiProto.c | ||
| IScsiProto.h | ||