diff options
author | lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-05-21 02:22:02 +0000 |
---|---|---|
committer | lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-05-21 02:22:02 +0000 |
commit | 164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d (patch) | |
tree | 884d9a2e5711d7237acac956f715a67f0d863107 /MdeModulePkg/Library | |
parent | 6ab9f44138c62cea69000e7ada2161c07efadf93 (diff) | |
download | edk2-platforms-164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d.tar.xz |
Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14379 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Library')
-rw-r--r-- | MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c index 2bfd62a2b9..f95079bd27 100644 --- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c @@ -543,6 +543,7 @@ SmmPerformanceHandlerEx ( GAUGE_DATA_ENTRY_EX *GaugeDataEx;
UINTN NumberOfEntries;
UINTN LogEntryKey;
+ UINTN TempCommBufferSize;
GaugeEntryExArray = NULL;
@@ -553,11 +554,13 @@ SmmPerformanceHandlerEx ( return EFI_SUCCESS;
}
- if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE_EX)) {
return EFI_SUCCESS;
}
- if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM communcation data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
@@ -649,7 +652,8 @@ SmmPerformanceHandler ( GAUGE_DATA_ENTRY *GaugeData;
UINTN NumberOfEntries;
UINTN LogEntryKey;
-
+ UINTN TempCommBufferSize;
+
GaugeEntryExArray = NULL;
//
@@ -659,11 +663,13 @@ SmmPerformanceHandler ( return EFI_SUCCESS;
}
- if(*CommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
+ TempCommBufferSize = *CommBufferSize;
+
+ if(TempCommBufferSize < sizeof (SMM_PERF_COMMUNICATE)) {
return EFI_SUCCESS;
}
- if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
+ if (!IsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM communcation data buffer in SMRAM or overflow!\n"));
return EFI_SUCCESS;
}
|