From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Liming Gao <liming.gao@intel.com>,
Yonghong Zhu <yonghong.zhu@intel.com>
Subject: [PATCH 11/17] BaseTools/GenFv: Add/refine boundary checks for strcpy/strcat calls
Date: Tue, 19 Dec 2017 11:29:06 +0800 [thread overview]
Message-ID: <20171219032912.14404-12-hao.a.wu@intel.com> (raw)
In-Reply-To: <20171219032912.14404-1-hao.a.wu@intel.com>
Add checks to ensure when the destination string buffer is of fixed
size, the strcpy/strcat functions calls will not access beyond the
boundary.
Cc: Liming Gao <liming.gao@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
BaseTools/Source/C/GenFv/GenFvInternalLib.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/BaseTools/Source/C/GenFv/GenFvInternalLib.c b/BaseTools/Source/C/GenFv/GenFvInternalLib.c
index 2b80e7919b..fc1a7602ab 100644
--- a/BaseTools/Source/C/GenFv/GenFvInternalLib.c
+++ b/BaseTools/Source/C/GenFv/GenFvInternalLib.c
@@ -824,7 +824,11 @@ Returns:
//
// Construct Map file Name
//
- strcpy (PeMapFileName, FileName);
+ if (strlen (FileName) >= MAX_LONG_FILE_PATH) {
+ return EFI_ABORTED;
+ }
+ strncpy (PeMapFileName, FileName, MAX_LONG_FILE_PATH - 1);
+ PeMapFileName[MAX_LONG_FILE_PATH - 1] = 0;
//
// Change '\\' to '/', unified path format.
@@ -861,7 +865,11 @@ Returns:
Cptr --;
}
*Cptr2 = '\0';
- strcpy (KeyWord, Cptr + 1);
+ if (strlen (Cptr + 1) >= MAX_LINE_LEN) {
+ return EFI_ABORTED;
+ }
+ strncpy (KeyWord, Cptr + 1, MAX_LINE_LEN - 1);
+ KeyWord[MAX_LINE_LEN - 1] = 0;
*Cptr2 = '.';
//
@@ -3534,7 +3542,12 @@ Returns:
//
// Construct the original efi file Name
//
- strcpy (PeFileName, FileName);
+ if (strlen (FileName) >= MAX_LONG_FILE_PATH) {
+ Error (NULL, 0, 2000, "Invalid", "The file name %s is too long.", FileName);
+ return EFI_ABORTED;
+ }
+ strncpy (PeFileName, FileName, MAX_LONG_FILE_PATH - 1);
+ PeFileName[MAX_LONG_FILE_PATH - 1] = 0;
Cptr = PeFileName + strlen (PeFileName);
while (*Cptr != '.') {
Cptr --;
@@ -3789,7 +3802,12 @@ Returns:
//
// Construct the original efi file name
//
- strcpy (PeFileName, FileName);
+ if (strlen (FileName) >= MAX_LONG_FILE_PATH) {
+ Error (NULL, 0, 2000, "Invalid", "The file name %s is too long.", FileName);
+ return EFI_ABORTED;
+ }
+ strncpy (PeFileName, FileName, MAX_LONG_FILE_PATH - 1);
+ PeFileName[MAX_LONG_FILE_PATH - 1] = 0;
Cptr = PeFileName + strlen (PeFileName);
while (*Cptr != '.') {
Cptr --;
--
2.12.0.windows.1
next prev parent reply other threads:[~2017-12-19 3:24 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-19 3:28 [PATCH 00/17] BaseTools/C: Code refinements Hao Wu
2017-12-19 3:28 ` [PATCH 01/17] BaseTools/C/Common: Add checks for array access Hao Wu
2017-12-19 3:28 ` [PATCH 02/17] BaseTools/EfiRom: Refine the logic in main() Hao Wu
2017-12-19 3:28 ` [PATCH 03/17] BaseTools/LzmaCompress: Fix possible uninitialized variable Hao Wu
2017-12-19 3:28 ` [PATCH 04/17] BaseTools/C/Common: Remove redundant type cast Hao Wu
2017-12-19 3:29 ` [PATCH 05/17] BaseTools/VfrCompile: Assign 'NULL' for closed file handle Hao Wu
2017-12-19 3:29 ` [PATCH 06/17] BaseTools/GenFv: Add check to ensure the file handle status is correct Hao Wu
2017-12-19 3:29 ` [PATCH 07/17] BaseTools/C/Common: Add/refine boundary checks for strcpy/strcat calls Hao Wu
2017-12-19 3:29 ` [PATCH 08/17] BaseTools/C/Common: Refine using sprintf() with '%s' in format string Hao Wu
2017-12-19 3:29 ` [PATCH 09/17] BaseTools/EfiRom: Add/refine boundary checks for strcpy/strcat calls Hao Wu
2017-12-19 3:29 ` [PATCH 10/17] BaseTools/GenBootSector: Add/refine boundary checks for strcpy/strcat Hao Wu
2017-12-19 3:29 ` Hao Wu [this message]
2017-12-19 3:29 ` [PATCH 12/17] BaseTools/GenVtf: Add/refine boundary checks for strcpy/strcat calls Hao Wu
2017-12-19 3:29 ` [PATCH 13/17] BaseTools/VfrCompile: Add/refine boundary checks for strcpy/strcat Hao Wu
2017-12-19 3:29 ` [PATCH 14/17] BaseTools/VfrCompile: Resolve uninit class variables in constructor Hao Wu
2017-12-19 3:29 ` [PATCH 15/17] BaseTools/GenFfs: Enlarge the size of 'AlignmentBuffer' Hao Wu
2017-12-19 3:29 ` [PATCH 16/17] BaseTools/GenSec: Fix potential memory leak Hao Wu
2017-12-19 3:29 ` [PATCH 17/17] BaseTools/GenSec: Fix potential null pointer dereference Hao Wu
2017-12-25 1:48 ` [PATCH 00/17] BaseTools/C: Code refinements Gao, Liming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171219032912.14404-12-hao.a.wu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox