Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.

Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14379 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
lzeng14
2013-05-21 02:22:02 +00:00
parent 6ab9f44138
commit 164a9b6752
6 changed files with 53 additions and 26 deletions

View File

@@ -372,7 +372,7 @@ SmmFaultTolerantWriteHandler (
UINTN CommBufferPayloadSize;
UINTN PrivateDataSize;
UINTN Length;
UINTN TempCommBufferSize;
//
// If input is invalid, stop processing this SMI
@@ -381,13 +381,15 @@ SmmFaultTolerantWriteHandler (
return EFI_SUCCESS;
}
if (*CommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {
TempCommBufferSize = *CommBufferSize;
if (TempCommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer size invalid!\n"));
return EFI_SUCCESS;
}
CommBufferPayloadSize = *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;
CommBufferPayloadSize = TempCommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;
if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}