Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.

Signed-off-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14379 6f19259b-4bc3-4df7-8a09-765794883524
author: lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> 2013-05-21 02:22:02 +0000
committer: lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> 2013-05-21 02:22:02 +0000
commit: 164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d (patch)
tree: 884d9a2e5711d7237acac956f715a67f0d863107 /MdeModulePkg/Library/SmmCorePerformanceLib
parent: 6ab9f44138c62cea69000e7ada2161c07efadf93 (diff)
download: edk2-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.tar.gz
edk2-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.tar.bz2
edk2-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.zip
1 files changed, 11 insertions, 5 deletions
diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
index 2bfd62a2b9..f95079bd27 100644
--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
+++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
@@ -543,6 +543,7 @@ SmmPerformanceHandlerEx (
   GAUGE_DATA_ENTRY_EX       *GaugeDataEx;
   UINTN                     NumberOfEntries;
   UINTN                     LogEntryKey;
+  UINTN                     TempCommBufferSize;
 
   GaugeEntryExArray = NULL;
 
@@ -553,11 +554,13 @@ SmmPerformanceHandlerEx (
     return EFI_SUCCESS;
   }
 
-  if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
+  TempCommBufferSize = *CommBufferSize;
+
+  if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
     return EFI_SUCCESS;
   }
 
-  if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+  if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
     DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM communcation data buffer in SMRAM or overflow!\n"));
     return EFI_SUCCESS;
   }
@@ -649,7 +652,8 @@ SmmPerformanceHandler (
   GAUGE_DATA_ENTRY      *GaugeData;
   UINTN                 NumberOfEntries;
   UINTN                 LogEntryKey;
-  
+  UINTN                 TempCommBufferSize;
+
   GaugeEntryExArray = NULL;
 
   //
@@ -659,11 +663,13 @@ SmmPerformanceHandler (
     return EFI_SUCCESS;
   }
 
-  if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
+  TempCommBufferSize = *CommBufferSize;
+
+  if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
     return EFI_SUCCESS;
   }
 
-  if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+  if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
     DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer in SMRAM or overflow!\n"));
     return EFI_SUCCESS;
   }
author	lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>	2013-05-21 02:22:02 +0000
committer	lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>	2013-05-21 02:22:02 +0000
commit	164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d (patch)
tree	884d9a2e5711d7237acac956f715a67f0d863107 /MdeModulePkg/Library/SmmCorePerformanceLib
parent	6ab9f44138c62cea69000e7ada2161c07efadf93 (diff)
download	edk2-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.tar.gz edk2-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.tar.bz2 edk2-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.zip