diff options
| author | Krzysztof Koch <krzysztof.koch@arm.com> | 2019-07-22 15:50:25 -0700 |
|---|---|---|
| committer | Jaben Carsey <jaben.carsey@intel.com> | 2019-07-31 09:52:57 -0700 |
| commit | d23bf7973491938d479bef5535c9017dc9065e58 (patch) | |
| tree | 6e54a84762a1ef0cf7f689b4669774e1bb5db7fb /ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | |
| parent | 748c1efd1e0d934c68b6dafd3011aee47c25ad57 (diff) | |
| download | edk2-d23bf7973491938d479bef5535c9017dc9065e58.tar.gz edk2-d23bf7973491938d479bef5535c9017dc9065e58.tar.bz2 edk2-d23bf7973491938d479bef5535c9017dc9065e58.zip | |
ShellPkg: acpiview: MADT: Split structure length validation
Split the Interrupt Controller Structure length validation in the
acpiview UEFI shell tool into two logical parts:
1. Ensuring MADT table parser forward progress.
2. Preventing MADT table buffer overruns.
Also, make the condition for infinite loop detection applicable to
all types of Interrupt Controller Structures (for all interrupt models
which can be represented in MADT). Check if the controller length
specified is shorter than the byte size of the first two fields
('Type' and 'Length') present in every valid Interrupt Controller
Structure.
Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
Reviewed-by: Zhichao Gao <zhichao.gao@intel.com>
Diffstat (limited to 'ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c')
| -rw-r--r-- | ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c index 338295d30e..d80ebd1a2b 100644 --- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c +++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Madt/MadtParser.c @@ -260,16 +260,30 @@ ParseAcpiMadt ( PARSER_PARAMS (MadtInterruptControllerHeaderParser)
);
- if (((Offset + (*MadtInterruptControllerLength)) > AcpiTableLength) ||
- (*MadtInterruptControllerLength < 4)) {
+ // Make sure forward progress is made.
+ if (*MadtInterruptControllerLength < 2) {
IncrementErrorCount ();
Print (
- L"ERROR: Invalid Interrupt Controller Length,"
- L" Type = %d, Length = %d\n",
- *MadtInterruptControllerType,
- *MadtInterruptControllerLength
- );
- break;
+ L"ERROR: Structure length is too small: " \
+ L"MadtInterruptControllerLength = %d. " \
+ L"MadtInterruptControllerType = %d. MADT parsing aborted.\n",
+ *MadtInterruptControllerLength,
+ *MadtInterruptControllerType
+ );
+ return;
+ }
+
+ // Make sure the MADT structure lies inside the table
+ if ((Offset + *MadtInterruptControllerLength) > AcpiTableLength) {
+ IncrementErrorCount ();
+ Print (
+ L"ERROR: Invalid MADT structure length. " \
+ L"MadtInterruptControllerLength = %d. " \
+ L"RemainingTableBufferLength = %d. MADT parsing aborted.\n",
+ *MadtInterruptControllerLength,
+ AcpiTableLength - Offset
+ );
+ return;
}
switch (*MadtInterruptControllerType) {
|