add security check.

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8680 6f19259b-4bc3-4df7-8a09-765794883524

MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c

@@ -274,6 +274,7 @@ PxeBcTryBinl (
   PXEBC_CACHED_DHCP4_PACKET *CachedPacket;
   EFI_DHCP4_PACKET          *Reply;
 
+  ASSERT (Index < PXEBC_MAX_OFFER_NUM);
   ASSERT (Private->Dhcp4Offers[Index].OfferType == DHCP4_PACKET_TYPE_BINL);
 
   Offer = &Private->Dhcp4Offers[Index].Packet.Offer;
@@ -560,6 +561,7 @@ PxeBcCacheDhcpOffer (
   }
 
   OfferType = CachedOffer->OfferType;
+  ASSERT (OfferType < DHCP4_PACKET_TYPE_MAX);
 
   if (OfferType == DHCP4_PACKET_TYPE_BOOTP) {
 
@@ -603,6 +605,7 @@ PxeBcCacheDhcpOffer (
       //
       // It's a dhcp offer with your address.
       //
+      ASSERT (Private->ServerCount[OfferType] < PXEBC_MAX_OFFER_NUM);
       Private->OfferIndex[OfferType][Private->ServerCount[OfferType]] = Private->NumOffers;
       Private->ServerCount[OfferType]++;
     }
@@ -1119,6 +1122,7 @@ PxeBcDiscvBootService (
   EFI_DHCP4_HEADER                    *DhcpHeader;
   UINT32                              Xid;
 
+  ASSERT (IsDiscv && (Layer != NULL));
 
   Mode      = Private->PxeBc.Mode;
   Dhcp4     = Private->Dhcp4;
@@ -1717,15 +1721,21 @@ PxeBcSelectBootMenu (
   MenuSize  = VendorOpt->BootMenuLen;
   MenuItem  = VendorOpt->BootMenu;
 
+  if (MenuSize == 0) {
+    return EFI_NOT_READY;
+  }
+
   while (MenuSize > 0) {
     MenuArray[Index]  = MenuItem;
     MenuSize          = (UINT8) (MenuSize - (MenuItem->DescLen + 3));
     MenuItem          = (PXEBC_BOOT_MENU_ENTRY *) ((UINT8 *) MenuItem + MenuItem->DescLen + 3);
-    Index++;
+    if (Index++ > (PXEBC_MAX_MENU_NUM - 1)) {
+      break;
+    }
   }
 
   if (UseDefaultItem) {
-    CopyMem (Type, &MenuArray[0]->Type, sizeof (UINT16));
+    *Type = MenuArray[0]->Type;
     *Type = NTOHS (*Type);
     return EFI_SUCCESS;
   }

MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c

@@ -1432,6 +1432,8 @@ CheckIpByFilter (
     return TRUE;
   }
 
+  ASSERT (PxeBcMode->IpFilter.IpCnt < EFI_PXE_BASE_CODE_MAX_IPCNT);
+
   for (Index = 0; Index < PxeBcMode->IpFilter.IpCnt; Index++) {
     CopyMem (
       &Ip4Address, 
@@ -1755,20 +1757,20 @@ EfiPxeBcSetIpFilter (
   BOOLEAN                   PromiscuousNeed;
 
   if (This == NULL) {
-    DEBUG ((EFI_D_ERROR, "BC *This pointer == NULL.\n"));
+    DEBUG ((EFI_D_ERROR, "This == NULL.\n"));
     return EFI_INVALID_PARAMETER;
   }
 
   Private = PXEBC_PRIVATE_DATA_FROM_PXEBC (This);
   Mode = Private->PxeBc.Mode;
 
-  if (Private == NULL) {
-    DEBUG ((EFI_D_ERROR, "PXEBC_PRIVATE_DATA poiner == NULL.\n"));
+  if (NewFilter == NULL) {
+    DEBUG ((EFI_D_ERROR, "NewFilter == NULL.\n"));
     return EFI_INVALID_PARAMETER;
   }
 
-  if (NewFilter == NULL) {
-    DEBUG ((EFI_D_ERROR, "IP Filter *NewFilter == NULL.\n"));
+  if (NewFilter->IpCnt > EFI_PXE_BASE_CODE_MAX_IPCNT) {
+    DEBUG ((EFI_D_ERROR, "NewFilter->IpCnt > %d.\n", EFI_PXE_BASE_CODE_MAX_IPCNT));
     return EFI_INVALID_PARAMETER;
   }
 
@@ -1778,6 +1780,7 @@ EfiPxeBcSetIpFilter (
   }
 
   PromiscuousNeed = FALSE;
+
   for (Index = 0; Index < NewFilter->IpCnt; ++Index) {
     if (IP4_IS_LOCAL_BROADCAST (EFI_IP4 (NewFilter->IpList[Index].v4))) {
       //

MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c

@@ -250,9 +250,10 @@ CvtNum (
 {
   UINTN Remainder;
 
-  while (Length-- > 0) {
+  while (Length > 0) {
     Remainder = Number % 10;
     Number /= 10;
+    Length--;
     Buffer[Length] = (UINT8) ('0' + Remainder);
   }
 }