MdePkg DevicePathLib: Validate before touch input buffer.

Current code not validate the input buffer before touch.
it may touch the buffer outside the validate scope. This
patch validate the input size big enough to touch the
first node.

Cc: Ruiyu NI <ruiyu.ni@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>

1 files changed, 21 insertions, 5 deletions

diff --git a/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c b/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
index a514f1b6f9..2252d186cb 100644
--- a/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
+++ b/MdePkg/Library/UefiDevicePathLibDevicePathProtocol/UefiDevicePathLib.c
@@ -103,17 +103,33 @@ IsDevicePathValid (
 

   ASSERT (DevicePath != NULL);

 

+  if (MaxSize == 0) {

+    MaxSize = MAX_UINTN;

+  }

+

+  //

+  // Validate the input size big enough to touch the first node.

+  //

+  if (MaxSize < sizeof (EFI_DEVICE_PATH_PROTOCOL)) {

+    return FALSE;

+  }

+

   for (Count = 0, Size = 0; !IsDevicePathEnd (DevicePath); DevicePath = NextDevicePathNode (DevicePath)) {

     NodeLength = DevicePathNodeLength (DevicePath);

     if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) {

       return FALSE;

     }

 

-    if (MaxSize > 0) {

-      Size += NodeLength;

-      if (Size + END_DEVICE_PATH_LENGTH > MaxSize) {

-        return FALSE;

-      }

+    if (NodeLength > MAX_UINTN - Size) {

+      return FALSE;

+    }

+    Size += NodeLength;

+

+    //

+    // Validate next node before touch it.

+    //

+    if (Size > MaxSize - END_DEVICE_PATH_LENGTH ) {

+      return FALSE;

     }

 

     if (PcdGet32 (PcdMaximumDevicePathNodeCount) > 0) {