From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5E2E021D1E2D8 for ; Tue, 19 Sep 2017 06:19:41 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP; 19 Sep 2017 06:22:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,418,1500966000"; d="scan'208";a="1016151973" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga003.jf.intel.com with ESMTP; 19 Sep 2017 06:22:44 -0700 Received: from fmsmsx151.amr.corp.intel.com (10.18.125.4) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 19 Sep 2017 06:22:45 -0700 Received: from fmsmsx103.amr.corp.intel.com ([169.254.2.182]) by FMSMSX151.amr.corp.intel.com ([169.254.7.169]) with mapi id 14.03.0319.002; Tue, 19 Sep 2017 06:22:44 -0700 From: "Carsey, Jaben" To: "Wu, Hao A" , "edk2-devel@lists.01.org" CC: "Ni, Ruiyu" , "Shi, Steven" Thread-Topic: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary Thread-Index: AQHTMTvuKfE7GXk4AU6jc7JrI1B5bKK8MkQQ Date: Tue, 19 Sep 2017 13:22:44 +0000 Message-ID: References: <20170919113833.14048-1-hao.a.wu@intel.com> <20170919113833.14048-2-hao.a.wu@intel.com> In-Reply-To: <20170919113833.14048-2-hao.a.wu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNWNkMmM2MmUtMmUyZC00MWVlLTk2NGItMjJmMzVjMGNhYzFmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6IkFDM2FpdEU0ZmIrTTJLVEdlM3VxSDAxN3FQUmZQZmJYd2pmcjZRWjdZMjA9In0= x-ctpclassification: CTP_IC x-originating-ip: [10.1.200.106] MIME-Version: 1.0 Subject: Re: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string boundary X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 13:19:41 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jaben Carsey > -----Original Message----- > From: Wu, Hao A > Sent: Tuesday, September 19, 2017 4:39 AM > To: edk2-devel@lists.01.org > Cc: Wu, Hao A ; Ni, Ruiyu ; > Carsey, Jaben ; Shi, Steven > > Subject: [PATCH 1/2] ShellPkg/Shell: Avoid reading content beyond string > boundary > Importance: High >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D690 >=20 > Within function EfiShellGetDevicePathFromFilePath(), when the input > parameter 'Path' string is like: > "FS0:" >=20 > It is possible for the below statement: > "if (*(Path+StrLen(MapName)+1) =3D=3D CHAR_NULL) {" >=20 > to read the content 1 byte beyond the string boundary (both 'Path' and > 'MapName' will be FS0: in this case). >=20 > This commit adds additional checks to avoid this. >=20 > Cc: Ruiyu Ni > Cc: Jaben Carsey > Cc: Steven Shi > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Hao Wu > --- > ShellPkg/Application/Shell/ShellProtocol.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/ShellPkg/Application/Shell/ShellProtocol.c > b/ShellPkg/Application/Shell/ShellProtocol.c > index 40e5e653ae..5e34b8dad1 100644 > --- a/ShellPkg/Application/Shell/ShellProtocol.c > +++ b/ShellPkg/Application/Shell/ShellProtocol.c > @@ -598,7 +598,8 @@ EfiShellGetDevicePathFromFilePath( > // > // build the full device path > // > - if (*(Path+StrLen(MapName)+1) =3D=3D CHAR_NULL) { > + if ((*(Path+StrLen(MapName)) !=3D CHAR_NULL) && > + (*(Path+StrLen(MapName)+1) =3D=3D CHAR_NULL)) { > DevicePathForReturn =3D FileDevicePath(Handle, L"\\"); > } else { > DevicePathForReturn =3D FileDevicePath(Handle, Path+StrLen(MapName))= ; > -- > 2.12.0.windows.1