diff options
| author | Sebastian Witt <sebastian.witt@siemens.com> | 2024-06-04 13:10:13 +0200 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-06-07 13:23:04 +0000 |
| commit | df8c61e4c071d1c6ab04e3ebeeb07cf97fc893e0 (patch) | |
| tree | 16a7c863f5ab1aff1f1995d0fdbbfecc5eb8a3d7 | |
| parent | 8c826be35c736f4b718c8f927853aa957a1973d8 (diff) | |
| download | edk2-df8c61e4c071d1c6ab04e3ebeeb07cf97fc893e0.tar.gz edk2-df8c61e4c071d1c6ab04e3ebeeb07cf97fc893e0.tar.bz2 edk2-df8c61e4c071d1c6ab04e3ebeeb07cf97fc893e0.zip | |
CryptoPkg: Fix BaseCryptLib CrtWrapper strcpy
strcpy fails when strSource is closer than 4096 bytes after strDest.
This is caused by an overlap check in AsciiStrCpyS:
//
// 5. Copying shall not take place between objects that overlap.
//
SAFE_STRING_CONSTRAINT_CHECK (InternalSafeStringNoAsciiStrOverlap
(Destination, DestMax, (CHAR8 *)Source, SourceLen + 1),
RETURN_ACCESS_DENIED);
Since DestMax is MAX_STRING_SIZE (0x1000) and with a Source
that is in this area behind Destination, AsciiStrCpyS will fail
and strcpy will do nothing.
When called by CRYPTO_strdup in openssl this leads to uninitialzed
memory that gets accessed instead of the copied string.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2817
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c index 37cdecc9bd..880ed140fd 100644 --- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c +++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c @@ -271,7 +271,7 @@ strcpy ( const char *strSource
)
{
- AsciiStrCpyS (strDest, MAX_STRING_SIZE, strSource);
+ AsciiStrCpyS (strDest, AsciiStrnSizeS (strSource, MAX_STRING_SIZE), strSource);
return strDest;
}
|