public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Eric Dong <eric.dong@intel.com>
To: edk2-devel@lists.01.org
Cc: Ruiyu NI <ruiyu.ni@intel.com>, Jiewen Yao <jiewen.yao@intel.com>
Subject: [Patch 2/4] MdePkg DevicePathLib: Validate before touch input buffer.
Date: Thu, 27 Oct 2016 14:36:29 +0800	[thread overview]
Message-ID: <1477550191-11836-3-git-send-email-eric.dong@intel.com> (raw)
In-Reply-To: <1477550191-11836-1-git-send-email-eric.dong@intel.com>

Current code not validate the input buffer before touch.
it may touch the buffer outside the validate scope. This
patch validate the input size big enough to touch the
first node.

Cc: Ruiyu NI <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
---
 .../UefiDevicePathLib.c                            | 26 +++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c b/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
index a514f1b..2252d18 100644
--- a/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
+++ b/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
@@ -103,17 +103,33 @@ IsDevicePathValid (
 
   ASSERT (DevicePath != NULL);
 
+  if (MaxSize == 0) {
+    MaxSize = MAX_UINTN;
+  }
+
+  //
+  // Validate the input size big enough to touch the first node.
+  //
+  if (MaxSize < sizeof (EFI_DEVICE_PATH_PROTOCOL)) {
+    return FALSE;
+  }
+
   for (Count = 0, Size = 0; !IsDevicePathEnd (DevicePath); DevicePath = NextDevicePathNode (DevicePath)) {
     NodeLength = DevicePathNodeLength (DevicePath);
     if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) {
       return FALSE;
     }
 
-    if (MaxSize > 0) {
-      Size += NodeLength;
-      if (Size + END_DEVICE_PATH_LENGTH > MaxSize) {
-        return FALSE;
-      }
+    if (NodeLength > MAX_UINTN - Size) {
+      return FALSE;
+    }
+    Size += NodeLength;
+
+    //
+    // Validate next node before touch it.
+    //
+    if (Size > MaxSize - END_DEVICE_PATH_LENGTH ) {
+      return FALSE;
     }
 
     if (PcdGet32 (PcdMaximumDevicePathNodeCount) > 0) {
-- 
2.6.4.windows.1



  parent reply	other threads:[~2016-10-27  6:36 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-27  6:36 [Patch 0/4] Enhance IsDevciePathValid API Eric Dong
2016-10-27  6:36 ` [Patch 1/4] MdePkg DevicePathLib: Rollback former change Eric Dong
2016-10-27  6:36 ` Eric Dong [this message]
2016-10-27  6:36 ` [Patch 3/4] MdePkg UefiDevicePathLib: " Eric Dong
2016-10-27  6:36 ` [Patch 4/4] MdePkg UefiDevicePathLib: Validate before touch input buffer Eric Dong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1477550191-11836-3-git-send-email-eric.dong@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox