From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) by mx.groups.io with SMTP id smtpd.web10.45996.1674656601388812138 for ; Wed, 25 Jan 2023 06:23:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=iAdOukJX; spf=pass (domain: gmail.com, ip: 209.85.208.177, mailfrom: houjingyi647@gmail.com) Received: by mail-lj1-f177.google.com with SMTP id o12so1590957ljp.11 for ; Wed, 25 Jan 2023 06:23:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=RrOtyinjUJnfAoc2IC5m+unJaxfMCUMfW2yvTOwYr+c=; b=iAdOukJXTOgjUXD7iA6wbBKvG2XHS3yflAMKgUiciwuqptTfnI0Gxc3EEoftAKJkSQ CNwg0OlYxrDN3sOghmfF9DnPa5hiScpoG8lZ/tlrdKhPOUgfGSfx2pdzgNjyopZJhd59 ia1fpEOEFI2GBDQnDqpUMg/iKqoNZai5xiN1SLDXlpm2m45U8YJdNLzCJPA7Am+5k7Nf sPKNeRWjgH50Re+OC0nLABhSJww2ythiyaqdtUQp8HRoO9kcMVchh86lRn/YbvB132KH NJKVAC7Kj/1U7eYjqvz+1AGcIVpwJBKSnPo0OjT13/HjTvn7NfKT2fkQUXBqELPrx/N1 pNbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=RrOtyinjUJnfAoc2IC5m+unJaxfMCUMfW2yvTOwYr+c=; b=jwJC75kfTJT9OXA7i4/HIOQMguDwDqf5ku1bjcbjCBFxlCsvrDQaAIqIwX+3+nxBsQ cUgWCnZGJF35StAYSjzy8ZjhoBDlVQRyrsGL2jHW2+rzw+BJmBZH0P9/JsafmNjA3+Wg uAIvq7yEgrm/heCaLtOX/jTj22y8gIaT0GYdfhgCbahXR11nKCgwL6iC5ctkCWZJ64EP gY1TaGX7dRk5Y2ZPcKt2R/Sd9+xCbxxfS3P6eH9idYoPcTc3MSpriJsWXFE0vDo30qg/ 3vapufkA5kOIFTpis70kMUYEGBDoLwty6V81lwNwY72CcOLrvuT7ZPqPdDed6kd1Ar7d xIHA== X-Gm-Message-State: AO0yUKXLdpDbk3onjrAjxXA1qjmMozaKtiTTxFqfLhQ4u7IgRUqp1k28 TogXIcB23iUcbcwjADgX+8tfVHWqB12CUJKwqMmDAMW8q+BaSg== X-Google-Smtp-Source: AK7set/FU740gF23mU2L1M9Pv9nMrzSvAJgwZWYxbA7jDTa6o3rNWSYsY55IADldV3O07T6Yt2PH0tJ+ZQ0Ih1xkO/4= X-Received: by 2002:a2e:3309:0:b0:28e:3f4d:77b9 with SMTP id d9-20020a2e3309000000b0028e3f4d77b9mr33572ljc.50.1674656598761; Wed, 25 Jan 2023 06:23:18 -0800 (PST) MIME-Version: 1.0 From: houjingyi Date: Wed, 25 Jan 2023 22:23:07 +0800 Message-ID: Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy To: devel@edk2.groups.io Content-Type: multipart/alternative; boundary="000000000000b0a49a05f3175fdb" --000000000000b0a49a05f3175fdb Content-Type: text/plain; charset="UTF-8" >>From 0541928e66eb01802a855bbbae125ef0b02259d6 Mon Sep 17 00:00:00 2001 From: houjingyi233 Date: Wed, 25 Jan 2023 22:11:31 +0800 Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy It is possible that when the third argument of the memcpy is unequal to the first argument of malloc will cause overflow, when +1 in malloc cause int overflow malloc a very small size of memory and followed memcpy will cause heap overflow. Signed-off-by: houjingyi233 --- .../RedfishLib/edk2libredfish/src/redpath.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c index cf5ab85165..a1523938f7 100644 --- a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c +++ b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redpath.c @@ -175,6 +175,10 @@ parseNode ( return; } + if ((opChars - index)+1 < opChars - index) { + return; + } + node->next->propName = (char *)malloc ((opChars - index)+1); memcpy (node->next->propName, index, (opChars - index)); node->next->propName[(opChars - index)] = 0; @@ -189,6 +193,9 @@ parseNode ( break; } + if (tmpIndex+1 < tmpIndex) { + return; + } node->next->op = (char *)malloc (tmpIndex+1); memcpy (node->next->op, opChars, tmpIndex); node->next->op[tmpIndex] = 0; @@ -217,6 +224,10 @@ getStringTill ( return strdup (string); } + if ((end-string)+1 < end-string) { + return; + } + ret = (char *)malloc ((end-string)+1); memcpy (ret, string, (end-string)); ret[(end-string)] = 0; -- 2.37.3 --000000000000b0a49a05f3175fdb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
From 0541928e66eb01802a855bbbae125ef0b02259d6 Mon Sep 17 0= 0:00:00 2001
From: houjingyi233 <houjingyi647@gmail.com>
Date: Wed, 25 Jan 2023 22:11:31 +08= 00
Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in me= mcpy

It is possible that when the third argument of the memcpy is un= equal
to the first argument of malloc will cause overflow, when +1 in ma= lloc
cause int overflow malloc a very small size of memory and followed = memcpy
will cause heap overflow.

Signed-off-by: houjingyi233 <= houjingyi647@gmail.com>---
=C2=A0.../RedfishLib/edk2libredfish/src/redpath.c =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 | 11 +++++++++++
=C2=A01 file changed, 11 insertions(+= )

diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/s= rc/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redp= ath.c
index cf5ab85165..a1523938f7 100644
--- a/RedfishPkg/PrivateLib= rary/RedfishLib/edk2libredfish/src/redpath.c
+++ b/RedfishPkg/PrivateLib= rary/RedfishLib/edk2libredfish/src/redpath.c
@@ -175,6 +175,10 @@ parseN= ode (
=C2=A0 =C2=A0 =C2=A0return;
=C2=A0 =C2=A0}
=C2=A0
+ =C2= =A0if ((opChars - index)+1 < opChars - index) {
+ =C2=A0 =C2=A0return= ;
+ =C2=A0}
+
=C2=A0 =C2=A0node->next->propName =3D (char *)= malloc ((opChars - index)+1);
=C2=A0 =C2=A0memcpy (node->next->pro= pName, index, (opChars - index));
=C2=A0 =C2=A0node->next->propNam= e[(opChars - index)] =3D 0;
@@ -189,6 +193,9 @@ parseNode (
=C2=A0 = =C2=A0 =C2=A0break;
=C2=A0 =C2=A0}
=C2=A0
+ =C2=A0if (tmpIndex+1 &= lt; tmpIndex) {
+ =C2=A0 =C2=A0return;
+ =C2=A0}
=C2=A0 =C2=A0node= ->next->op =3D (char *)malloc (tmpIndex+1);
=C2=A0 =C2=A0memcpy (n= ode->next->op, opChars, tmpIndex);
=C2=A0 =C2=A0node->next->= op[tmpIndex] =3D 0;
@@ -217,6 +224,10 @@ getStringTill (
=C2=A0 =C2= =A0 =C2=A0return strdup (string);
=C2=A0 =C2=A0}
=C2=A0
+ =C2=A0if= ((end-string)+1 < end-string) {
+ =C2=A0 =C2=A0return;
+ =C2=A0}<= br>+
=C2=A0 =C2=A0ret =3D (char *)malloc ((end-string)+1);
=C2=A0 =C2= =A0memcpy (ret, string, (end-string));
=C2=A0 =C2=A0ret[(end-string)] = =3D 0;
--
2.37.3

--000000000000b0a49a05f3175fdb--