From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id AA90721C943D2 for ; Thu, 22 Jun 2017 06:33:58 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP; 22 Jun 2017 06:35:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.39,373,1493708400"; d="scan'208";a="983974981" Received: from shwdeopenpsi068.ccr.corp.intel.com ([10.239.9.2]) by orsmga003.jf.intel.com with ESMTP; 22 Jun 2017 06:35:22 -0700 From: Star Zeng To: edk2-devel@lists.01.org Cc: Star Zeng , Liming Gao Date: Thu, 22 Jun 2017 21:35:18 +0800 Message-Id: <1498138518-151584-3-git-send-email-star.zeng@intel.com> X-Mailer: git-send-email 2.7.0.windows.1 In-Reply-To: <1498138518-151584-1-git-send-email-star.zeng@intel.com> References: <1498138518-151584-1-git-send-email-star.zeng@intel.com> Subject: [PATCH 2/2] MdeModulePkg Variable: Update GetNextVariableName to follow UEFI 2.7 X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 13:33:58 -0000 "The size must be large enough to fit input string supplied in VariableName buffer" is added in the description for VariableNameSize. And two cases of EFI_INVALID_PARAMETER are added. 1. The input values of VariableName and VendorGuid are not a name and GUID of an existing variable. 2. Null-terminator is not found in the first VariableNameSize bytes of the input VariableName buffer. This patch is to update code to follow them. Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng --- MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c index 0a325de1659d..d8f41d799238 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c @@ -2926,6 +2926,12 @@ VariableServiceGetNextVariableInternal ( Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); if (Variable.CurrPtr == NULL || EFI_ERROR (Status)) { + if (VariableName[0] != 0) { + // + // The input values of VariableName and VendorGuid are not a name and GUID of an existing variable. + // + Status = EFI_INVALID_PARAMETER; + } goto Done; } @@ -3065,6 +3071,7 @@ VariableServiceGetNextVariableName ( ) { EFI_STATUS Status; + UINTN MaxLen; UINTN VarNameSize; VARIABLE_HEADER *VariablePtr; @@ -3072,6 +3079,18 @@ VariableServiceGetNextVariableName ( return EFI_INVALID_PARAMETER; } + // + // Calculate the possible maximum length of name string, including the Null terminator. + // + MaxLen = *VariableNameSize / sizeof (CHAR16); + if ((MaxLen == 0) || + ((VariableName[MaxLen - 1] != 0) && (StrnLenS (VariableName, MaxLen) >= MaxLen))) { + // + // Null-terminator is not found in the first VariableNameSize bytes of the input VariableName buffer. + // + return EFI_INVALID_PARAMETER; + } + AcquireLockOnlyAtBootTime(&mVariableModuleGlobal->VariableGlobal.VariableServicesLock); Status = VariableServiceGetNextVariableInternal (VariableName, VendorGuid, &VariablePtr); -- 2.7.0.windows.1