Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.

Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14379 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lzeng14
2013-05-21 02:22:02 +00:00
parent 6ab9f44138
commit 164a9b6752
6 changed files with 53 additions and 26 deletions

View File

@@ -543,6 +543,7 @@ SmmPerformanceHandlerEx (
GAUGE_DATA_ENTRY_EX *GaugeDataEx;
UINTN NumberOfEntries;
UINTN LogEntryKey;
UINTN TempCommBufferSize;
GaugeEntryExArray = NULL;
@@ -553,11 +554,13 @@ SmmPerformanceHandlerEx (
return EFI_SUCCESS;
}
if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
TempCommBufferSize = *CommBufferSize;
if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
return EFI_SUCCESS;
}
if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM communcation data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -649,7 +652,8 @@ SmmPerformanceHandler (
GAUGE_DATA_ENTRY *GaugeData;
UINTN NumberOfEntries;
UINTN LogEntryKey;
UINTN TempCommBufferSize;
GaugeEntryExArray = NULL;
//
@@ -659,11 +663,13 @@ SmmPerformanceHandler (
return EFI_SUCCESS;
}
if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
TempCommBufferSize = *CommBufferSize;
if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
return EFI_SUCCESS;
}
if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}