From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 707551A1F58 for ; Wed, 12 Oct 2016 05:22:14 -0700 (PDT) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP; 12 Oct 2016 05:22:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,482,1473145200"; d="scan'208";a="1063789043" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.34]) by orsmga002.jf.intel.com with ESMTP; 12 Oct 2016 05:22:13 -0700 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao , Yonghong Zhu Date: Wed, 12 Oct 2016 20:20:32 +0800 Message-Id: <1476274836-10544-49-git-send-email-hao.a.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.0 In-Reply-To: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> References: <1476274836-10544-1-git-send-email-hao.a.wu@intel.com> Subject: [PATCH 48/52] BaseTools/VolInfo: Fix potential buffer overflow in scanf functions X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 12:22:14 -0000 String width is not specified for '%s' specifier in the format string for scanf functions. This can result in buffer overflows. This commit now specifies the string length for '%s' in format strings according to the size of receiving buffers. Cc: Liming Gao Cc: Yonghong Zhu Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- BaseTools/Source/C/VolInfo/VolInfo.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/BaseTools/Source/C/VolInfo/VolInfo.c b/BaseTools/Source/C/VolInfo/VolInfo.c index 07840bf..5285acd 100644 --- a/BaseTools/Source/C/VolInfo/VolInfo.c +++ b/BaseTools/Source/C/VolInfo/VolInfo.c @@ -2178,6 +2178,8 @@ Returns: { FILE *Fptr; CHAR8 Line[MAX_LINE_LEN]; + CHAR8 *FormatString; + INTN FormatLength; GUID_TO_BASENAME *GPtr; if ((Fptr = fopen (LongFilePath (FileName), "r")) == NULL) { @@ -2185,18 +2187,44 @@ Returns: return EFI_DEVICE_ERROR; } + // + // Generate the format string for fscanf + // + FormatLength = snprintf ( + NULL, + 0, + "%%%us %%%us", + (unsigned) sizeof (GPtr->Guid) - 1, + (unsigned) sizeof (GPtr->BaseName) - 1 + ) + 1; + + FormatString = (CHAR8 *) malloc (FormatLength); + if (FormatString == NULL) { + fclose (Fptr); + return EFI_OUT_OF_RESOURCES; + } + + snprintf ( + FormatString, + FormatLength, + "%%%us %%%us", + (unsigned) sizeof (GPtr->Guid) - 1, + (unsigned) sizeof (GPtr->BaseName) - 1 + ); + while (fgets (Line, sizeof (Line), Fptr) != NULL) { // // Allocate space for another guid/basename element // GPtr = malloc (sizeof (GUID_TO_BASENAME)); if (GPtr == NULL) { + free (FormatString); fclose (Fptr); return EFI_OUT_OF_RESOURCES; } memset ((char *) GPtr, 0, sizeof (GUID_TO_BASENAME)); - if (sscanf (Line, "%s %s", GPtr->Guid, GPtr->BaseName) == 2) { + if (sscanf (Line, FormatString, GPtr->Guid, GPtr->BaseName) == 2) { GPtr->Next = mGuidBaseNameList; mGuidBaseNameList = GPtr; } else { @@ -2207,6 +2235,7 @@ Returns: } } + free (FormatString); fclose (Fptr); return EFI_SUCCESS; } -- 1.9.5.msysgit.0