From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dandan.bi@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.24; helo=mga09.intel.com;
 envelope-from=dandan.bi@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id E263720355204
 for <edk2-devel@lists.01.org>; Tue,  7 Nov 2017 18:29:48 -0800 (PST)
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
 by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Nov 2017 18:33:48 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,362,1505804400"; d="scan'208";a="172930169"
Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202])
 by fmsmga005.fm.intel.com with ESMTP; 07 Nov 2017 18:33:48 -0800
Received: from fmsmsx151.amr.corp.intel.com (10.18.125.4) by
 fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Tue, 7 Nov 2017 18:33:48 -0800
Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by
 FMSMSX151.amr.corp.intel.com (10.18.125.4) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Tue, 7 Nov 2017 18:33:47 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.175]) by
 SHSMSX151.ccr.corp.intel.com ([169.254.3.218]) with mapi id 14.03.0319.002;
 Wed, 8 Nov 2017 10:33:45 +0800
From: "Bi, Dandan" <dandan.bi@intel.com>
To: "Wang, Jian J" <jian.j.wang@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Gao, Liming" <liming.gao@intel.com>
Thread-Topic: [PATCH v3 3/3] IntelFrameworkModulePkg: Fix misuses of
 AllocateCopyPool
Thread-Index: AQHTWDcCVxk8Rcq/mkywNg0phI9Aq6MJw12w
Date: Wed, 8 Nov 2017 02:33:44 +0000
Message-ID: <3C0D5C461C9E904E8F62152F6274C0BB3B9D0474@shsmsx102.ccr.corp.intel.com>
References: <20171108021201.17436-1-jian.j.wang@intel.com>
 <20171108021201.17436-4-jian.j.wang@intel.com>
In-Reply-To: <20171108021201.17436-4-jian.j.wang@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v3 3/3] IntelFrameworkModulePkg: Fix misuses of AllocateCopyPool
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 02:29:49 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Dandan Bi <dandan.bi@intel.com>

Thanks,
Dandan

-----Original Message-----
From: Wang, Jian J=20
Sent: Wednesday, November 8, 2017 10:12 AM
To: edk2-devel@lists.01.org
Cc: Gao, Liming <liming.gao@intel.com>; Bi, Dandan <dandan.bi@intel.com>
Subject: [PATCH v3 3/3] IntelFrameworkModulePkg: Fix misuses of AllocateCop=
yPool

> v3:
>    No updates.

> v2:
> a. Use ReallocatePool instead of allocating then copying wherever=20
> applicable

AllocateCopyPool(AllocationSize, *Buffer) will copy "AllocationSize" bytes =
of memory from old "Buffer" to new allocated one. If "AllocationSize" is bi=
gger than size of "Buffer", heap memory overflow occurs during copy.

One solution is to allocate pool first then copy the necessary bytes to new=
 memory. Another is using ReallocatePool instead if old buffer will be free=
d on spot.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 .../Universal/BdsDxe/DeviceMngr/DeviceManager.c                | 10 +++++-=
----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceMana=
ger.c b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c
index 125c49db5e..5103c7e5d1 100644
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.
+++ c
@@ -480,7 +480,11 @@ AddIdToMacDeviceList (
   } else {
     mMacDeviceList.MaxListLen +=3D MAX_MAC_ADDRESS_NODE_LIST_LEN;
     if (mMacDeviceList.CurListLen !=3D 0) {
-      TempDeviceList =3D (MENU_INFO_ITEM *)AllocateCopyPool (sizeof (MENU_=
INFO_ITEM) * mMacDeviceList.MaxListLen, (VOID *)mMacDeviceList.NodeList);
+      TempDeviceList =3D ReallocatePool (
+                         sizeof (MENU_INFO_ITEM) * mMacDeviceList.CurListL=
en,
+                         sizeof (MENU_INFO_ITEM) * mMacDeviceList.MaxListL=
en,
+                         mMacDeviceList.NodeList
+                         );
     } else {
       TempDeviceList =3D (MENU_INFO_ITEM *)AllocatePool (sizeof (MENU_INFO=
_ITEM) * mMacDeviceList.MaxListLen);
     }
@@ -491,10 +495,6 @@ AddIdToMacDeviceList (
     TempDeviceList[mMacDeviceList.CurListLen].PromptId =3D PromptId; =20
     TempDeviceList[mMacDeviceList.CurListLen].QuestionId =3D (EFI_QUESTION=
_ID) (mMacDeviceList.CurListLen + NETWORK_DEVICE_LIST_KEY_OFFSET);
    =20
-    if (mMacDeviceList.CurListLen > 0) {
-      FreePool(mMacDeviceList.NodeList);
-    }
-   =20
     mMacDeviceList.NodeList =3D TempDeviceList;
   }
   mMacDeviceList.CurListLen ++;
--
2.14.1.windows.1