From cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 8 Jun 2021 14:12:54 +0200 Subject: NetworkPkg/IScsiDxe: fix potential integer overflow in IScsiBinToHex() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Considering IScsiBinToHex(): > if (((*HexLength) - 3) < BinLength * 2) { > *HexLength = BinLength * 2 + 3; > } the following subexpressions are problematic: (*HexLength) - 3 BinLength * 2 BinLength * 2 + 3 The first one may wrap under zero, the latter two may wrap over MAX_UINT32. Rewrite the calculation using SafeIntLib. While at it, change the type of the "Index" variable from UINTN to UINT32. The largest "Index"-based value that we calculate is Index * 2 + 2 (with (Index == BinLength)) Because the patch makes BinLength * 2 + 3 safe to calculate in UINT32, using UINT32 for Index * 2 + 2 (with (Index == BinLength)) is safe too. Consistently using UINT32 improves readability. This patch is best reviewed with "git show -W". The integer overflows that this patch fixes are theoretical; a subsequent patch in the series will audit the IScsiBinToHex() call sites, and show that none of them can fail. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daudé Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 Signed-off-by: Laszlo Ersek Reviewed-by: Maciej Rabeda Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20210608121259.32451-6-lersek@redhat.com> --- NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 + 1 file changed, 1 insertion(+) (limited to 'NetworkPkg/IScsiDxe/IScsiDxe.inf') diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf index 543c408302..1dde56d00c 100644 --- a/NetworkPkg/IScsiDxe/IScsiDxe.inf +++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf @@ -74,6 +74,7 @@ MemoryAllocationLib NetLib PrintLib + SafeIntLib TcpIoLib UefiBootServicesTableLib UefiDriverEntryPoint -- cgit v1.2.3