From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=sXXsyLeL; spf=pass (domain: arm.com, ip: 40.107.7.87, mailfrom: krzysztof.koch@arm.com) Received: from EUR04-HE1-obe.outbound.protection.outlook.com (EUR04-HE1-obe.outbound.protection.outlook.com [40.107.7.87]) by groups.io with SMTP; Thu, 01 Aug 2019 01:46:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vOHaxVYsuiHlh4pr96Jkg2wbmnLKPx21+jPAX+F6Ovw=; b=sXXsyLeLZY61+BRr/YkQNkO7Dxbtn1YYNnNyAHISRdE1WcbSVPVxXzbJtJU384zhizYFIpQepdZENYqarHnIKEMzZ1kl9Nr8IQ4ZOol4Xd9JeDSp7PKaQhnwgSEyZBOR+WY/Cb5jN0X/JIzzhCBExxE0Ymr5cJo60UC3Mp3kd8g= Received: from DB7PR08CA0004.eurprd08.prod.outlook.com (2603:10a6:5:16::17) by DB8PR08MB4954.eurprd08.prod.outlook.com (2603:10a6:10:bf::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.15; Thu, 1 Aug 2019 08:46:07 +0000 Received: from DB5EUR03FT037.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by DB7PR08CA0004.outlook.office365.com (2603:10a6:5:16::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.13 via Frontend Transport; Thu, 1 Aug 2019 08:46:07 +0000 Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT037.mail.protection.outlook.com (10.152.20.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:46:05 +0000 Received: ("Tessian outbound 6d016ca6b65d:v26"); Thu, 01 Aug 2019 08:46:05 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: e109381fdd0ffb93 X-CR-MTA-TID: 64aa7808 Received: from fad75327a3b5.1 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.4.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9304FCC1-B5F6-4FD8-8313-A2758F835E31.1; Thu, 01 Aug 2019 08:46:00 +0000 Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02lp2052.outbound.protection.outlook.com [104.47.4.52]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id fad75327a3b5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 01 Aug 2019 08:46:00 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qc3BulZne2n16NxrSaGaqLoIjgG87ejMBXIdW0PSg8XbJQz97gUUF1pZb5cs4UrM8toLAIjOqTxXBQf4lo/GGopZD340XKUjLB46FkpDHbN+eIuhxt4WeCP013r2d7RUunkiqj2oRf2OA+ZpZY2zhrSoFjtUAMq/jaefiKDWVwYre1dk6tiy2801esXvD6tThxR9xGLFLpeFIS9rXL4oe4VSGVqXHLMzuStXuqJhTg+RlbXkz6q3l6pUGL83h79EhzE57cHAqwUQ/BWZaFzCUTiZjnAh1NCxZ7lp3IKtLFRg0NkMsPek7b+S3+LBcvTVBQpCd1omUorrEgu26cB4cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vOHaxVYsuiHlh4pr96Jkg2wbmnLKPx21+jPAX+F6Ovw=; b=HkLMZ2vywWiKn/TyxlT9WRXs7IKVeUMRD9bz5nxvSLs9v5n8zyEBxzqk3Xje9ASniDLWm0usaEI2LanWzhy11YjpDkpSMh6IWL//sixX9iySj6W/l19f995PvtGMNEVy8hkAtEfhFE56CcfqIc1D0XLVYES7IwvwWOllLM6dPoUH5Z1g3Z0cc1zEP8qIfVXEp4h1FkWg339kNiPreoPIHo8aKQpstNxhY9+X/k2kY+L2PVPQV1vXtnSeZZwUB9i9HEr52z60Zg/guYQf8n6Xuj+BB2VtU8IeD881RgXKcbBGJrXDTDEV0Em2MgtNSEO1UXQCeo30eDky59p0W9rVfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=temperror (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;dmarc=temperror action=none header.from=arm.com;dkim=none (message not signed);arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vOHaxVYsuiHlh4pr96Jkg2wbmnLKPx21+jPAX+F6Ovw=; b=sXXsyLeLZY61+BRr/YkQNkO7Dxbtn1YYNnNyAHISRdE1WcbSVPVxXzbJtJU384zhizYFIpQepdZENYqarHnIKEMzZ1kl9Nr8IQ4ZOol4Xd9JeDSp7PKaQhnwgSEyZBOR+WY/Cb5jN0X/JIzzhCBExxE0Ymr5cJo60UC3Mp3kd8g= Received: from VI1PR0801CA0072.eurprd08.prod.outlook.com (2603:10a6:800:7d::16) by DB6PR0801MB1846.eurprd08.prod.outlook.com (2603:10a6:4:35::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.15; Thu, 1 Aug 2019 08:45:57 +0000 Received: from DB5EUR03FT017.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::207) by VI1PR0801CA0072.outlook.office365.com (2603:10a6:800:7d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.15 via Frontend Transport; Thu, 1 Aug 2019 08:45:57 +0000 Authentication-Results-Original: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout) Received: from nebula.arm.com (40.67.248.234) by DB5EUR03FT017.mail.protection.outlook.com (10.152.20.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2052.18 via Frontend Transport; Thu, 1 Aug 2019 08:45:55 +0000 Received: from AZ-NEU-EX04.Arm.com (10.251.24.32) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1415.2; Thu, 1 Aug 2019 08:44:16 +0000 Received: from E119924.Arm.com (10.1.199.124) by mail.arm.com (10.251.24.32) with Microsoft SMTP Server id 15.1.1415.2 via Frontend Transport; Thu, 1 Aug 2019 08:44:16 +0000 From: "Krzysztof Koch" To: CC: , , , , , Subject: [PATCH v1 3/6] ShellPkg: acpiview: IORT: Prevent buffer overruns Date: Thu, 1 Aug 2019 09:44:04 +0100 Message-ID: <20190801084407.48712-4-krzysztof.koch@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 In-Reply-To: <20190801084407.48712-1-krzysztof.koch@arm.com> References: <20190801084407.48712-1-krzysztof.koch@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;IPV:NLI;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(396003)(39860400002)(136003)(376002)(346002)(2980300002)(189003)(199004)(316002)(50466002)(81156014)(14444005)(44832011)(6666004)(70206006)(76176011)(486006)(47776003)(53416004)(70586007)(336012)(478600001)(50226002)(8936002)(54906003)(86362001)(63350400001)(6916009)(186003)(126002)(48376002)(8676002)(81166006)(4326008)(356004)(476003)(7696005)(68736007)(2906002)(2616005)(51416003)(11346002)(16586007)(1076003)(53936002)(63370400001)(5660300002)(2351001)(26005)(36756003)(426003)(305945005)(446003)(19627235002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB6PR0801MB1846;H:nebula.arm.com;FPR:;SPF:TempError;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f56cb967-b027-46e3-caf6-08d7165cb116 X-Microsoft-Antispam-Untrusted: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328);SRVR:DB6PR0801MB1846; X-MS-TrafficTypeDiagnostic: DB6PR0801MB1846:|DB8PR08MB4954: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true X-MS-Oob-TLC-OOBClassifiers: OLM:8273;OLM:8273; X-Forefront-PRVS: 01165471DB X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info-Original: nSCg0gwx/sfpT/kjWrtYP+qge5AdlbfFRa4DVmKNGgNAb7Tnr5c9eNpPgOlxGNxeOQ44Ukf94qGRTdaNQupEZeCNyP6na1diCb4DMzNrUrEW5/dymMvdLand5Xv7GZ1IenVUB0LNgYHDdb9i+FiapUUKVFuEIor57cmw+NIOMa5G1b/BVvIInciD7tf31q1Xdz/q+Khx+BXsypdvF0+BiTfy9Fn0mV2bPg/xYTK01UDaGEqtb8d4XyRS0ipjk80NZ1KOrMZZCik1KjYCCW4MXIYDudwNMRQ2sh+F6YD2+xdLxpkYHMdvSnBcmvd7P+ZYSlF5Sl0y/gZeaFlXbM7gx76jpnOW7/fBLrgUD2NKvD5UX5pUKHm22hHujNcKHxVhLytEKloO3I4VLzFXmRoWB87cNsdxkld0Elc1u0oZboM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1846 Original-Authentication-Results: spf=temperror (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=temperror action=none header.from=arm.com; Return-Path: Krzysztof.Koch@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT037.eop-EUR03.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:63.35.35.123;IPV:CAL;SCL:-1;CTRY:IE;EFV:NLI;SFV:NSPM;SFS:(10009020)(4636009)(136003)(376002)(346002)(396003)(39860400002)(2980300002)(189003)(199004)(1076003)(316002)(81166006)(81156014)(48376002)(8676002)(50466002)(53416004)(47776003)(76176011)(6916009)(50226002)(486006)(76130400001)(26005)(7696005)(51416003)(4326008)(2351001)(186003)(22756006)(6666004)(8936002)(86362001)(70586007)(70206006)(16586007)(54906003)(478600001)(126002)(19627235002)(26826003)(476003)(2906002)(11346002)(2616005)(36756003)(44832011)(336012)(446003)(305945005)(426003)(63370400001)(63350400001)(14444005)(5660300002);DIR:OUT;SFP:1101;SCL:1;SRVR:DB8PR08MB4954;H:64aa7808-outbound-1.mta.getcheckrecipient.com;FPR:;SPF:TempError;LANG:en;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;MX:1;A:1; X-MS-Office365-Filtering-Correlation-Id-Prvs: 1e64cae8-2417-42c1-547a-08d7165cab11 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(710020)(711020)(4605104)(1401327)(2017052603328);SRVR:DB8PR08MB4954; NoDisclaimer: True X-Forefront-PRVS: 01165471DB X-Microsoft-Antispam-Message-Info: sa6UqH/bZwf5HqFy93Foj3QCOAeEJKM2UR0GIR3ix0HK0qZJP2tV1BKd9UhGYZTGTxZHC+O+tvyotbVgZ4IlIl4ICh6EkIK4HZvy5odjYX+YIqP2V7/BrH038p2N8ShjdC+jlPsfvUdgQt7n1QbbvYloMfwMY8sUQjgVZadXSkozaPMEIOz8sRie8yJnz5EmaJVUEBO5Rodt/jybYWDxd2a6PDywNnvCZhSnKFe+gUbOSLsTOuqfbqTclixyub66auIP19kFoAiDdTuAocwLcmMnsP92bwKCNcjVzhz3P7VIU1oOljyUIKLHt2zPYJxhmDxuYpmz0r7SpZWvgmFvEvOLLaZWadY0+d0EJ9rIo00usaJYzqEeNESwk27WRkhiHtUmjXAa2JFlHEJHlEBz+qyXIOpV8AnMCHB6joOK5gg= X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2019 08:46:05.9547 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f56cb967-b027-46e3-caf6-08d7165cb116 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4954 Content-Type: text/plain Modify the IORT table parsing logic to prevent reading past the buffer lengths provided. Change DumpIortNodeIdMappings() function's signature and implementation to simplify buffer overrun prevention. Update all calls to this function accordingly. Modify the parser for each type of IORT node such that the offset from the start of the node's buffer is tracked as the parsing function is executed. Again, this change helps prevent buffer overruns. Test that the IORT node buffer fits in the table buffer before the node's buffer contents are dumped. References: - IO Remapping Table (Issue D), Platform Design Document, March 2018 Signed-off-by: Krzysztof Koch --- Notes: v1: - Prevent buffer overruns in IORT acpiview parser [Krzysztof] ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c | 191 +++++++++++--------- 1 file changed, 105 insertions(+), 86 deletions(-) diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c index 7c850b3813d5204775e2cc247cabf42358b25769..8912d415a755c7f892b5cd2edc532aae8964a42c 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Iort/IortParser.c @@ -247,42 +247,41 @@ STATIC CONST ACPI_PARSER IortNodePmcgParser[] = { /** This function parses the IORT Node Id Mapping array. - @param [in] Ptr Pointer to the start of the IORT Table. + @param [in] Ptr Pointer to the start of the ID mapping array. + @param [in] Length Length of the buffer. @param [in] MappingCount The ID Mapping count. - @param [in] MappingOffset The offset of the ID Mapping array - from the start of the IORT table. **/ STATIC VOID DumpIortNodeIdMappings ( IN UINT8* Ptr, - IN UINT32 MappingCount, - IN UINT32 MappingOffset + IN UINT32 Length, + IN UINT32 MappingCount ) { - UINT8* IdMappingPtr; UINT32 Index; UINT32 Offset; CHAR8 Buffer[40]; // Used for AsciiName param of ParseAcpi - IdMappingPtr = Ptr + MappingOffset; Index = 0; - while (Index < MappingCount) { + Offset = 0; + + while ((Index < MappingCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "ID Mapping [%d]", Index ); - Offset = ParseAcpi ( - TRUE, - 4, - Buffer, - IdMappingPtr, - 20, - PARSER_PARAMS (IortNodeIdMappingParser) - ); - IdMappingPtr += Offset; + Offset += ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (IortNodeIdMappingParser) + ); Index++; } } @@ -309,8 +308,6 @@ DumpIortNodeSmmuV1V2 ( UINT32 Offset; CHAR8 Buffer[50]; // Used for AsciiName param of ParseAcpi - UINT8* ArrayPtr; - ParseAcpi ( TRUE, 2, @@ -320,51 +317,55 @@ DumpIortNodeSmmuV1V2 ( PARSER_PARAMS (IortNodeSmmuV1V2Parser) ); - ArrayPtr = Ptr + *InterruptContextOffset; + Offset = *InterruptContextOffset; Index = 0; - while (Index < *InterruptContextCount) { + + while ((Index < *InterruptContextCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "Context Interrupts Array [%d]", Index ); - Offset = ParseAcpi ( - TRUE, - 4, - Buffer, - ArrayPtr, - 8, - PARSER_PARAMS (InterruptArrayParser) - ); - ArrayPtr += Offset; + Offset += ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (InterruptArrayParser) + ); Index++; } - ArrayPtr = Ptr + *PmuInterruptOffset; + Offset = *PmuInterruptOffset; Index = 0; - while (Index < *PmuInterruptCount) { + + while ((Index < *PmuInterruptCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "PMU Interrupts Array [%d]", Index ); - Offset = ParseAcpi ( - TRUE, - 4, - Buffer, - ArrayPtr, - 8, - PARSER_PARAMS (InterruptArrayParser) - ); - ArrayPtr += Offset; + Offset += ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (InterruptArrayParser) + ); Index++; } - if (*IortIdMappingCount != 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } /** @@ -394,9 +395,11 @@ DumpIortNodeSmmuV3 ( PARSER_PARAMS (IortNodeSmmuV3Parser) ); - if (*IortIdMappingCount != 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } /** @@ -414,40 +417,40 @@ DumpIortNodeIts ( { UINT32 Offset; UINT32 Index; - UINT8* ItsIdPtr; CHAR8 Buffer[80]; // Used for AsciiName param of ParseAcpi Offset = ParseAcpi ( - TRUE, - 2, - "ITS Node", - Ptr, - Length, - PARSER_PARAMS (IortNodeItsParser) - ); + TRUE, + 2, + "ITS Node", + Ptr, + Length, + PARSER_PARAMS (IortNodeItsParser) + ); - ItsIdPtr = Ptr + Offset; Index = 0; - while (Index < *ItsCount) { + + while ((Index < *ItsCount) && + (Offset < Length)) { AsciiSPrint ( Buffer, sizeof (Buffer), "GIC ITS Identifier Array [%d]", Index ); - Offset = ParseAcpi ( - TRUE, - 4, - Buffer, - ItsIdPtr, - 4, - PARSER_PARAMS (ItsIdParser) - ); - ItsIdPtr += Offset; + Offset += ParseAcpi ( + TRUE, + 4, + Buffer, + Ptr + Offset, + Length - Offset, + PARSER_PARAMS (ItsIdParser) + ); Index++; } // Note: ITS does not have the ID Mappings Array + } /** @@ -470,8 +473,6 @@ DumpIortNodeNamedComponent ( { UINT32 Offset; UINT32 Index; - UINT8* DeviceNamePtr; - UINT32 DeviceNameLength; Offset = ParseAcpi ( TRUE, @@ -482,19 +483,22 @@ DumpIortNodeNamedComponent ( PARSER_PARAMS (IortNodeNamedComponentParser) ); - DeviceNamePtr = Ptr + Offset; // Estimate the Device Name length - DeviceNameLength = Length - Offset - (MappingCount * 20); PrintFieldName (2, L"Device Object Name"); Index = 0; - while ((Index < DeviceNameLength) && (DeviceNamePtr[Index] != 0)) { - Print (L"%c", DeviceNamePtr[Index++]); + + while ((*(Ptr + Offset) != 0) && + (Offset < Length)) { + Print (L"%c", *(Ptr + Offset)); + Offset++; } Print (L"\n"); - if (*IortIdMappingCount != 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } /** @@ -524,9 +528,11 @@ DumpIortNodeRootComplex ( PARSER_PARAMS (IortNodeRootComplexParser) ); - if (*IortIdMappingCount != 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } /** @@ -554,11 +560,13 @@ DumpIortNodePmcg ( Ptr, Length, PARSER_PARAMS (IortNodePmcgParser) - ); + ); - if (*IortIdMappingCount != 0) { - DumpIortNodeIdMappings (Ptr, MappingCount, MappingOffset); - } + DumpIortNodeIdMappings ( + Ptr + MappingOffset, + Length - MappingOffset, + MappingCount + ); } /** @@ -605,23 +613,34 @@ ParseAcpiIort ( AcpiTableLength, PARSER_PARAMS (IortParser) ); + Offset = *IortNodeOffset; NodePtr = Ptr + Offset; Index = 0; - while ((Index < *IortNodeCount) && (Offset < AcpiTableLength)) { + // Parse the specified number of IORT nodes or the IORT table buffer length. + // Whichever is minimum. + while ((Index++ < *IortNodeCount) && + (Offset < AcpiTableLength)) { // Parse the IORT Node Header ParseAcpi ( FALSE, 0, "IORT Node Header", NodePtr, - 16, + AcpiTableLength - Offset, PARSER_PARAMS (IortNodeHeaderParser) ); - if (*IortNodeLength == 0) { + + // Make sure the IORT Node is inside the table + if ((Offset + (*IortNodeLength)) > AcpiTableLength) { IncrementErrorCount (); - Print (L"ERROR: Parser error. Invalid table data.\n"); + Print ( + L"ERROR: Invalid IORT node length. IortNodeLength = %d. " \ + L"RemainingTableBufferLength = %d. IORT parsing aborted.\n", + *IortNodeLength, + AcpiTableLength - Offset + ); return; } -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'