From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=hao.a.wu@intel.com; receiver=edk2-devel@lists.01.org Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 65F942035BA25 for ; Mon, 18 Dec 2017 19:24:47 -0800 (PST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2017 19:29:33 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,424,1508828400"; d="scan'208";a="188196732" Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.10]) by fmsmga006.fm.intel.com with ESMTP; 18 Dec 2017 19:29:32 -0800 From: Hao Wu To: edk2-devel@lists.01.org Cc: Hao Wu , Liming Gao , Yonghong Zhu Date: Tue, 19 Dec 2017 11:29:06 +0800 Message-Id: <20171219032912.14404-12-hao.a.wu@intel.com> X-Mailer: git-send-email 2.12.0.windows.1 In-Reply-To: <20171219032912.14404-1-hao.a.wu@intel.com> References: <20171219032912.14404-1-hao.a.wu@intel.com> Subject: [PATCH 11/17] BaseTools/GenFv: Add/refine boundary checks for strcpy/strcat calls X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 03:24:47 -0000 Add checks to ensure when the destination string buffer is of fixed size, the strcpy/strcat functions calls will not access beyond the boundary. Cc: Liming Gao Cc: Yonghong Zhu Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Hao Wu --- BaseTools/Source/C/GenFv/GenFvInternalLib.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/BaseTools/Source/C/GenFv/GenFvInternalLib.c b/BaseTools/Source/C/GenFv/GenFvInternalLib.c index 2b80e7919b..fc1a7602ab 100644 --- a/BaseTools/Source/C/GenFv/GenFvInternalLib.c +++ b/BaseTools/Source/C/GenFv/GenFvInternalLib.c @@ -824,7 +824,11 @@ Returns: // // Construct Map file Name // - strcpy (PeMapFileName, FileName); + if (strlen (FileName) >= MAX_LONG_FILE_PATH) { + return EFI_ABORTED; + } + strncpy (PeMapFileName, FileName, MAX_LONG_FILE_PATH - 1); + PeMapFileName[MAX_LONG_FILE_PATH - 1] = 0; // // Change '\\' to '/', unified path format. @@ -861,7 +865,11 @@ Returns: Cptr --; } *Cptr2 = '\0'; - strcpy (KeyWord, Cptr + 1); + if (strlen (Cptr + 1) >= MAX_LINE_LEN) { + return EFI_ABORTED; + } + strncpy (KeyWord, Cptr + 1, MAX_LINE_LEN - 1); + KeyWord[MAX_LINE_LEN - 1] = 0; *Cptr2 = '.'; // @@ -3534,7 +3542,12 @@ Returns: // // Construct the original efi file Name // - strcpy (PeFileName, FileName); + if (strlen (FileName) >= MAX_LONG_FILE_PATH) { + Error (NULL, 0, 2000, "Invalid", "The file name %s is too long.", FileName); + return EFI_ABORTED; + } + strncpy (PeFileName, FileName, MAX_LONG_FILE_PATH - 1); + PeFileName[MAX_LONG_FILE_PATH - 1] = 0; Cptr = PeFileName + strlen (PeFileName); while (*Cptr != '.') { Cptr --; @@ -3789,7 +3802,12 @@ Returns: // // Construct the original efi file name // - strcpy (PeFileName, FileName); + if (strlen (FileName) >= MAX_LONG_FILE_PATH) { + Error (NULL, 0, 2000, "Invalid", "The file name %s is too long.", FileName); + return EFI_ABORTED; + } + strncpy (PeFileName, FileName, MAX_LONG_FILE_PATH - 1); + PeFileName[MAX_LONG_FILE_PATH - 1] = 0; Cptr = PeFileName + strlen (PeFileName); while (*Cptr != '.') { Cptr --; -- 2.12.0.windows.1