diff options
| author | Michael Kubacki <michael.kubacki@microsoft.com> | 2020-04-07 22:46:37 -0700 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-04-17 17:34:33 +0000 |
| commit | 1c761011340d830a2bf66128325a686ffff3f5e9 (patch) | |
| tree | badd7255a0383c5cfe6a1c6b239b494ff2612d48 /NetworkPkg | |
| parent | df4f154da9cb193b8e539157d1ed1a851cf1488e (diff) | |
| download | edk2-1c761011340d830a2bf66128325a686ffff3f5e9.tar.gz edk2-1c761011340d830a2bf66128325a686ffff3f5e9.tar.bz2 edk2-1c761011340d830a2bf66128325a686ffff3f5e9.zip | |
NetworkPkg/Ip6Dxe: Validate source data record length
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2273
Ip6ConfigReadConfigData() reads configuration data from a UEFI variable
and copies the data to another buffer. This change checks that the
length
of the data record being copied does not exceed the size of the source
UEFI variable data buffer.
If the size is exceeded, this change follows existing logic to treat the
variable as corrupted and deletes the variable so it will be set again.
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Diffstat (limited to 'NetworkPkg')
| -rw-r--r-- | NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 47 |
1 files changed, 30 insertions, 17 deletions
diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c index eb2a80b64f..ab38013369 100644 --- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c +++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c @@ -2,6 +2,7 @@ The implementation of EFI IPv6 Configuration Protocol.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -390,24 +391,9 @@ Ip6ConfigReadConfigData ( );
if (EFI_ERROR (Status) || (UINT16) (~NetblockChecksum ((UINT8 *) Variable, (UINT32) VarSize)) != 0) {
//
- // GetVariable still error or the variable is corrupted.
- // Fall back to the default value.
+ // GetVariable error or the variable is corrupted.
//
- FreePool (Variable);
-
- //
- // Remove the problematic variable and return EFI_NOT_FOUND, a new
- // variable will be set again.
- //
- gRT->SetVariable (
- VarName,
- &gEfiIp6ConfigProtocolGuid,
- IP6_CONFIG_VARIABLE_ATTRIBUTE,
- 0,
- NULL
- );
-
- return EFI_NOT_FOUND;
+ goto Error;
}
//
@@ -432,7 +418,12 @@ Ip6ConfigReadConfigData ( if (!DATA_ATTRIB_SET (DataItem->Attribute, DATA_ATTRIB_SIZE_FIXED)) {
//
// This data item has variable length data.
+ // Check that the length is contained within the variable before allocating.
//
+ if (DataRecord.DataSize > VarSize - DataRecord.Offset) {
+ goto Error;
+ }
+
DataItem->Data.Ptr = AllocatePool (DataRecord.DataSize);
if (DataItem->Data.Ptr == NULL) {
//
@@ -454,6 +445,28 @@ Ip6ConfigReadConfigData ( }
return Status;
+
+Error:
+ //
+ // Fall back to the default value.
+ //
+ if (Variable != NULL) {
+ FreePool (Variable);
+ }
+
+ //
+ // Remove the problematic variable and return EFI_NOT_FOUND, a new
+ // variable will be set again.
+ //
+ gRT->SetVariable (
+ VarName,
+ &gEfiIp6ConfigProtocolGuid,
+ IP6_CONFIG_VARIABLE_ATTRIBUTE,
+ 0,
+ NULL
+ );
+
+ return EFI_NOT_FOUND;
}
/**
|