From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mx.groups.io with SMTP id smtpd.web10.46260.1674657072306226012 for ; Wed, 25 Jan 2023 06:31:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=J+OJGPr/; spf=pass (domain: gmail.com, ip: 209.85.167.44, mailfrom: houjingyi647@gmail.com) Received: by mail-lf1-f44.google.com with SMTP id y25so29210902lfa.9 for ; Wed, 25 Jan 2023 06:31:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Z8V5aZtYKkSgodHB+vYMFY3KB2SdwGhZqXNAr/mKSEU=; b=J+OJGPr/IDNZJE1af/41bts2Qy8tf8feLQzByvCARWYsKCpQf3xA4gOYFQBLmYWrDg x7I1jYcYWaQUAsZdfCAjZKgggp64QfaMnangGPzAwa5GyKFRCcnyYsW8PGb/+FB8nK2j ga+4Jbe0UikUApuuAaF7ILaN65t0LEMeulL8/fJ1Qn4dadQWt8aNPHqPUnBs1FumEjS3 0ypYwHkjg2tkAHhv/0ERvjmBt8l1HJC9DSshR7ZifFW3kuTOw0bgR6YV4WLGGFYkewvk biYQK49ufZXEB7DozxGGA/tCeGhzyuzOKEXdHOO6pUjCRD4jlqVfypjLrtbS+zCWAhw3 FQ6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Z8V5aZtYKkSgodHB+vYMFY3KB2SdwGhZqXNAr/mKSEU=; b=ZiuHjsNvaETZqUOxzK/wJDQ7jHXyCaG0YdGRhmngHZeqYk+bdul5IPD956Ug1oK/p5 4uGYfYnTn6UubeCPLTFGINL5X1v0DZOJl/opuwa5qK7I/TuIqhp0wSEnSAc8l8CIoz2J B/q3nRRLnKdNtv6RGpqYz2tYzp7gRrOaTxONLVlBSZ/7zjOwEpS07ZdBeGM1x33E5yl9 8zGSF02OfIgKR5dt58aDqGvTWr3f6BgiATZoX8B3n80doz7hOpf0bv7vSYLzOsEX39zU /qXuLJjWc0W3+Cu+L3pXjR4qEiEmGRtT9Op/yt/PQRVUjpgehwtIUIV+dDXF96oJiC7d c3Bg== X-Gm-Message-State: AFqh2kpbK8UNz/vV3DiU/bhTjf9rOe+om5AL3H6K9OKZZsnchsMzrHEf gfzbPn4wB8ezPqDA/bPbZ1uPGsi7Etow7Q0lDdWMEPy/BOs= X-Google-Smtp-Source: AMrXdXtkk0VSLXeoaO5jQbKt0b+C7tZGY6d2WTkF+ifLWZfUgABXNwBl53SUkfftIxoJ7U+eOkbZYmfpwi4AWYEjVFI= X-Received: by 2002:ac2:5f06:0:b0:4d2:7420:3a52 with SMTP id 6-20020ac25f06000000b004d274203a52mr2669654lfq.484.1674657070314; Wed, 25 Jan 2023 06:31:10 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: houjingyi647@gmail.com Date: Wed, 25 Jan 2023 22:30:58 +0800 Message-ID: Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy To: devel@edk2.groups.io Content-Type: multipart/alternative; boundary="000000000000cbf8e705f3177b63" --000000000000cbf8e705f3177b63 Content-Type: text/plain; charset="UTF-8" >>From 0541928e66eb01802a855bbbae125ef0b02259d6 Mon Sep 17 00:00:00 2001 From: houjingyi233 Date: Wed, 25 Jan 2023 22:11:31 +0800 Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy It is possible that when the third argument of the memcpy is unequal to the first argument of malloc will cause overflow, when +1 in malloc cause int overflow malloc a very small size of memory and followed memcpy will cause heap overflow. Signed-off-by: houjingyi233 --- .../RedfishLib/edk2libredfish/src/redpath.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c index cf5ab85165..a1523938f7 100644 --- a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c +++ b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c @@ -175,6 +175,10 @@ parseNode ( return; } + if ((opChars - index)+1 < opChars - index) { + return; + } + node->next->propName = (char *)malloc ((opChars - index)+1); memcpy (node->next->propName, index, (opChars - index)); node->next->propName[(opChars - index)] = 0; @@ -189,6 +193,9 @@ parseNode ( break; } + if (tmpIndex+1 < tmpIndex) { + return; + } node->next->op = (char *)malloc (tmpIndex+1); memcpy (node->next->op, opChars, tmpIndex); node->next->op[tmpIndex] = 0; @@ -217,6 +224,10 @@ getStringTill ( return strdup (string); } + if ((end-string)+1 < end-string) { + return; + } + ret = (char *)malloc ((end-string)+1); memcpy (ret, string, (end-string)); ret[(end-string)] = 0; -- 2.37.3 --000000000000cbf8e705f3177b63 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
From 0541928e6= 6eb01802a855bbbae125ef0b02259d6 Mon Sep 17 00:00:00 2001
From: houjingyi= 233 <houjing= yi647@gmail.com>
Date: Wed, 25 Jan 2023 22:11:31 +0800
Subject= : [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy

I= t is possible that when the third argument of the memcpy is unequal
to t= he first argument of malloc will cause overflow, when +1 in malloc
cause= int overflow malloc a very small size of memory and followed memcpy
wil= l cause heap overflow.

Signed-off-by: houjingyi233 <houjingyi647@gmail.com&g= t;
---
=C2=A0.../RedfishLib/edk2libredfish/src/redpath.c =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 | 11 +++++++++++
=C2=A01 file changed, 11 inser= tions(+)

diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libre= dfish/src/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/s= rc/redpath.c
index cf5ab85165..a1523938f7 100644
--- a/RedfishPkg/Pri= vateLibrary/RedfishLib/edk2libredfish/src/redpath.c
+++ b/RedfishPkg/Pri= vateLibrary/RedfishLib/edk2libredfish/src/redpath.c
@@ -175,6 +175,10 @@= parseNode (
=C2=A0 =C2=A0 =C2=A0return;
=C2=A0 =C2=A0}
=C2=A0
= + =C2=A0if ((opChars - index)+1 < opChars - index) {
+ =C2=A0 =C2=A0r= eturn;
+ =C2=A0}
+
=C2=A0 =C2=A0node->next->propName =3D (ch= ar *)malloc ((opChars - index)+1);
=C2=A0 =C2=A0memcpy (node->next-&g= t;propName, index, (opChars - index));
=C2=A0 =C2=A0node->next->pr= opName[(opChars - index)] =3D 0;
@@ -189,6 +193,9 @@ parseNode (
=C2= =A0 =C2=A0 =C2=A0break;
=C2=A0 =C2=A0}
=C2=A0
+ =C2=A0if (tmpIndex= +1 < tmpIndex) {
+ =C2=A0 =C2=A0return;
+ =C2=A0}
=C2=A0 =C2=A0= node->next->op =3D (char *)malloc (tmpIndex+1);
=C2=A0 =C2=A0memcp= y (node->next->op, opChars, tmpIndex);
=C2=A0 =C2=A0node->next-= >op[tmpIndex] =3D 0;
@@ -217,6 +224,10 @@ getStringTill (
=C2=A0 = =C2=A0 =C2=A0return strdup (string);
=C2=A0 =C2=A0}
=C2=A0
+ =C2= =A0if ((end-string)+1 < end-string) {
+ =C2=A0 =C2=A0return;
+ =C2= =A0}
+
=C2=A0 =C2=A0ret =3D (char *)malloc ((end-string)+1);
=C2= =A0 =C2=A0memcpy (ret, string, (end-string));
=C2=A0 =C2=A0ret[(end-stri= ng)] =3D 0;
--
2.37.3

--000000000000cbf8e705f3177b63--