From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from IMSVA.IN.MEGATRENDS.COM (Webmail.amiindia.co.in [203.199.198.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C45C921939304 for ; Tue, 11 Apr 2017 01:06:02 -0700 (PDT) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AEFFD82047 for ; Tue, 11 Apr 2017 13:37:42 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 98A4E82046 for ; Tue, 11 Apr 2017 13:37:42 +0530 (IST) Received: from webmail.amiindia.co.in (venus1.in.megatrends.com [10.0.0.5]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS for ; Tue, 11 Apr 2017 13:37:42 +0530 (IST) Received: from VENUS2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b]) by VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5%14]) with mapi id 14.01.0438.000; Tue, 11 Apr 2017 13:35:58 +0530 From: Santhapur Naveen To: "edk2-devel@lists.01.org" Thread-Topic: Array out of bounds write Thread-Index: AdKymXbNH7HWOz3xTVWbtmQe+Q4TQw== Importance: high X-Priority: 1 Date: Tue, 11 Apr 2017 08:05:58 +0000 Message-ID: <625A2455CC232F40B0F38F05ACED6D97C867892F@Venus2.in.megatrends.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.84.77] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1600-8.1.0.1062-22998.005 X-TM-AS-Result: No--19.466-5.0-31-10 X-imss-scan-details: No--19.466-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1600-8.1.1062-22998.005 X-TMASE-Result: 10--19.465700-10.000000 X-TMASE-MatchedRID: kVYJztr7Pg7To/qcrjih0APZZctd3P4BQa2sDHLkQ04L/50zj0KL7BCz 9g14hIMaNrW7jwT5wPtJpV9rHFX3j+2u5u3xOQvhwbRQ2Bpmlioay+BQxgCfhZb7No0srrTk7KB BZ2QBUyzQ23n+P5pIMRQjizXtCXfTWYqLLUX2mAtB6yOrxc8xu3cF/0kiqyh4RtqpRW8sWyLaz3 ayHTONm9l9DHcHloy4klPOPDP4bOiuEAHkLyBnqjTR2TFg0xG3wx0jRRxcQfMKw+Kw6rehm+RqQ AxbWD9+4vM1YF6AJbZO+3uGNcav946HM5rqDwqtY55L3m/5meLlDQQ0cbzKvTKgho+uj8XD15+z R5dsZ4lJ33/FWsBCyQ== X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0,39:0-0 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 Subject: Array out of bounds write X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2017 08:06:03 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello all, In the file PxeBcSupport.c of NetworkPkg there is EFI_STATUS PxeBcUdp4Write ( { ... // // Arrange one fragment buffer for data, and another fragment b= uffer for header if has. // FragCount =3D (HeaderSize !=3D NULL) ? 2 : 1; ... TxData->FragmentTable[FragCount - 1].FragmentLength =3D (UINT32= ) *BufferSize; ... } And similarly in EFI_STATUS PxeBcUdp6Write ( { ... // // Arrange one fragment buffer for data, and another fragment b= uffer for header if has. // FragCount =3D (HeaderSize !=3D NULL) ? 2 : 1; ... TxData->FragmentTable[FragCount - 1].FragmentLength =3D (UINT32= ) *BufferSize; ... } If HeaderSize is not NULL, then there is a chance of writing array over bou= nds since FragmentTable is of single element. /// /// Array of fragment descriptors. /// EFI_UDP6_FRAGMENT_DATA FragmentTable[1]; Shouldn't we be taking care of this? Regards, Naveen