Fix potential overflow for SetVariable interface
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by : Guo Dong <dong.guo@intel.com> Reviewed-by : Siyuan Fu <siyuan.fu@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14305 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
@@ -2218,14 +2218,20 @@ VariableServiceSetVariable (
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
|
||||
//
|
||||
// Prevent whole variable size overflow
|
||||
//
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
//
|
||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
|
||||
// bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
|
||||
//
|
||||
if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
|
||||
if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
|
||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
|
||||
if ( StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
|
||||
@@ -2236,8 +2242,7 @@ VariableServiceSetVariable (
|
||||
// The size of the VariableName, including the Unicode Null in bytes plus
|
||||
// the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
|
||||
//
|
||||
if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
|
||||
(sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
|
||||
if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
}
|
||||
|
@@ -424,6 +424,13 @@ RuntimeServiceSetVariable (
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
|
||||
//
|
||||
// Prevent PayloadSize overflow
|
||||
//
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
|
||||
|
||||
//
|
||||
|
Reference in New Issue
Block a user