From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <hao.a.wu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=192.55.52.43; helo=mga05.intel.com; envelope-from=hao.a.wu@intel.com;
 receiver=edk2-devel@lists.01.org 
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 800712035BA2E
 for <edk2-devel@lists.01.org>; Mon, 18 Dec 2017 19:24:48 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
 by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 18 Dec 2017 19:29:34 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.45,424,1508828400"; d="scan'208";a="188196738"
Received: from shwdeopenpsi014.ccr.corp.intel.com ([10.239.9.10])
 by fmsmga006.fm.intel.com with ESMTP; 18 Dec 2017 19:29:33 -0800
From: Hao Wu <hao.a.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Hao Wu <hao.a.wu@intel.com>, Liming Gao <liming.gao@intel.com>,
 Yonghong Zhu <yonghong.zhu@intel.com>
Date: Tue, 19 Dec 2017 11:29:07 +0800
Message-Id: <20171219032912.14404-13-hao.a.wu@intel.com>
X-Mailer: git-send-email 2.12.0.windows.1
In-Reply-To: <20171219032912.14404-1-hao.a.wu@intel.com>
References: <20171219032912.14404-1-hao.a.wu@intel.com>
Subject: [PATCH 12/17] BaseTools/GenVtf: Add/refine boundary checks for strcpy/strcat calls
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 03:24:48 -0000

Add checks to ensure when the destination string buffer is of fixed
size, the strcpy/strcat functions calls will not access beyond the
boundary.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 BaseTools/Source/C/GenVtf/GenVtf.c | 43 ++++++++++++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 6 deletions(-)

diff --git a/BaseTools/Source/C/GenVtf/GenVtf.c b/BaseTools/Source/C/GenVtf/GenVtf.c
index 2ae9a7be2c..65ae08eece 100644
--- a/BaseTools/Source/C/GenVtf/GenVtf.c
+++ b/BaseTools/Source/C/GenVtf/GenVtf.c
@@ -362,10 +362,20 @@ Returns:
       }
     } else if (strnicmp (*TokenStr, "COMP_BIN", 8) == 0) {
       TokenStr++;
-      strcpy (VtfInfo->CompBinName, *TokenStr);
+      if (strlen (*TokenStr) >= FILE_NAME_SIZE) {
+        Error (NULL, 0, 3000, "Invalid", "The 'COMP_BIN' name is too long.");
+        return ;
+      }
+      strncpy (VtfInfo->CompBinName, *TokenStr, FILE_NAME_SIZE - 1);
+      VtfInfo->CompBinName[FILE_NAME_SIZE - 1] = 0;
     } else if (strnicmp (*TokenStr, "COMP_SYM", 8) == 0) {
       TokenStr++;
-      strcpy (VtfInfo->CompSymName, *TokenStr);
+      if (strlen (*TokenStr) >= FILE_NAME_SIZE) {
+        Error (NULL, 0, 3000, "Invalid", "The 'COMP_SYM' name is too long.");
+        return ;
+      }
+      strncpy (VtfInfo->CompSymName, *TokenStr, FILE_NAME_SIZE - 1);
+      VtfInfo->CompSymName[FILE_NAME_SIZE - 1] = 0;
     } else if (strnicmp (*TokenStr, "COMP_SIZE", 9) == 0) {
       TokenStr++;
       if (strnicmp (*TokenStr, "-", 1) == 0) {
@@ -444,14 +454,24 @@ Returns:
     if (SectionOptionFlag) {
       if (stricmp (*TokenStr, "IA32_RST_BIN") == 0) {
         TokenStr++;
-        strcpy (IA32BinFile, *TokenStr);
+        if (strlen (*TokenStr) >= FILE_NAME_SIZE) {
+          Error (NULL, 0, 3000, "Invalid", "The 'IA32_RST_BIN' name is too long.");
+          break;
+        }
+        strncpy (IA32BinFile, *TokenStr, FILE_NAME_SIZE - 1);
+        IA32BinFile[FILE_NAME_SIZE - 1] = 0;
       }
     }
 
     if (SectionCompFlag) {
       if (stricmp (*TokenStr, "COMP_NAME") == 0) {
         TokenStr++;
-        strcpy (FileListPtr->CompName, *TokenStr);
+        if (strlen (*TokenStr) >= COMPONENT_NAME_SIZE) {
+          Error (NULL, 0, 3000, "Invalid", "The 'COMP_NAME' name is too long.");
+          break;
+        }
+        strncpy (FileListPtr->CompName, *TokenStr, COMPONENT_NAME_SIZE - 1);
+        FileListPtr->CompName[COMPONENT_NAME_SIZE - 1] = 0;
         TokenStr++;
         ParseAndUpdateComponents (FileListPtr);
       }
@@ -2240,9 +2260,20 @@ Returns:
   //
   // Use the file name minus extension as the base for tokens
   //
-  strcpy (BaseToken, SourceFileName);
+  if (strlen (SourceFileName) >= MAX_LONG_FILE_PATH) {
+    fclose (SourceFile);
+    Error (NULL, 0, 2000, "Invalid parameter", "The source file name is too long.");
+    return EFI_ABORTED;
+  }
+  strncpy (BaseToken, SourceFileName, MAX_LONG_FILE_PATH - 1);
+  BaseToken[MAX_LONG_FILE_PATH - 1] = 0;
   strtok (BaseToken, ". \t\n");
-  strcat (BaseToken, "__");
+  if (strlen (BaseToken) + strlen ("__") >= MAX_LONG_FILE_PATH) {
+    fclose (SourceFile);
+    Error (NULL, 0, 2000, "Invalid parameter", "The source file name is too long.");
+    return EFI_ABORTED;
+  }
+  strncat (BaseToken, "__", MAX_LONG_FILE_PATH - strlen (BaseToken) - 1);
 
   //
   // Open the destination file
-- 
2.12.0.windows.1