diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2021-06-08 14:12:58 +0200 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2021-06-09 17:25:03 +0000 |
| commit | 54e90edaed0d7c15230902ac4d74f4304bad2ebd (patch) | |
| tree | f90cd8bc36744bcb6a87dc3686f6c8307245036f /SecurityPkg | |
| parent | 47b76780b487dbfde4efb6843b16064c4a97e94d (diff) | |
| download | edk2-54e90edaed0d7c15230902ac4d74f4304bad2ebd.tar.gz edk2-54e90edaed0d7c15230902ac4d74f4304bad2ebd.tar.bz2 edk2-54e90edaed0d7c15230902ac4d74f4304bad2ebd.zip | |
NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer overflow
The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
condition, but never actually checks whether the decoded buffer fits into
the caller-provided room (i.e., the input value of "BinLength"), and
EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
overflow "BinBuffer".
This is remotely exploitable, as shown in a subsequent patch, which adds
error checking to the IScsiHexToBin() call sites. This issue allows the
target to compromise the initiator.
Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
plus actually catch the buffer overflow.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210608121259.32451-10-lersek@redhat.com>
Diffstat (limited to 'SecurityPkg')
0 files changed, 0 insertions, 0 deletions