From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 980661A1EC4 for ; Wed, 26 Oct 2016 23:36:39 -0700 (PDT) Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP; 26 Oct 2016 23:36:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,404,1473145200"; d="scan'208";a="184395113" Received: from shwde7156.ccr.corp.intel.com ([10.239.158.52]) by fmsmga004.fm.intel.com with ESMTP; 26 Oct 2016 23:36:38 -0700 From: Eric Dong To: edk2-devel@lists.01.org Cc: Ruiyu NI , Jiewen Yao Date: Thu, 27 Oct 2016 14:36:31 +0800 Message-Id: <1477550191-11836-5-git-send-email-eric.dong@intel.com> X-Mailer: git-send-email 2.6.4.windows.1 In-Reply-To: <1477550191-11836-1-git-send-email-eric.dong@intel.com> References: <1477550191-11836-1-git-send-email-eric.dong@intel.com> Subject: [Patch 4/4] MdePkg UefiDevicePathLib: Validate before touch input buffer. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 06:36:39 -0000 Current code not validate the input buffer before touch. it may touch the buffer outside the validate scope. This patch validate the input size big enough to touch the first node. Cc: Ruiyu NI Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong --- .../UefiDevicePathLib/DevicePathUtilities.c | 26 +++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/MdePkg/Library/UefiDevicePathLib/DevicePathUtilities.c b/MdePkg/Library/UefiDevicePathLib/DevicePathUtilities.c index 024dcc2..bb4a563 100644 --- a/MdePkg/Library/UefiDevicePathLib/DevicePathUtilities.c +++ b/MdePkg/Library/UefiDevicePathLib/DevicePathUtilities.c @@ -61,17 +61,33 @@ IsDevicePathValid ( ASSERT (DevicePath != NULL); + if (MaxSize == 0) { + MaxSize = MAX_UINTN; + } + + // + // Validate the input size big enough to touch the first node. + // + if (MaxSize < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { + return FALSE; + } + for (Count = 0, Size = 0; !IsDevicePathEnd (DevicePath); DevicePath = NextDevicePathNode (DevicePath)) { NodeLength = DevicePathNodeLength (DevicePath); if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { return FALSE; } - if (MaxSize > 0) { - Size += NodeLength; - if (Size + END_DEVICE_PATH_LENGTH > MaxSize) { - return FALSE; - } + if (NodeLength > MAX_UINTN - Size) { + return FALSE; + } + Size += NodeLength; + + // + // Validate next node before touch it. + // + if (Size > MaxSize - END_DEVICE_PATH_LENGTH ) { + return FALSE; } if (PcdGet32 (PcdMaximumDevicePathNodeCount) > 0) { -- 2.6.4.windows.1