diff options
| author | niruiyu <niruiyu@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-05-20 07:04:56 +0000 |
|---|---|---|
| committer | niruiyu <niruiyu@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-05-20 07:04:56 +0000 |
| commit | 51547bb879f66d3b4e46d69c112047d39dc234cc (patch) | |
| tree | 56dfc78d6c4171c109779b6349191d211aaa4918 /MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | |
| parent | 0ba17ade477cda3cac9419f6b00996b3b45135c5 (diff) | |
| download | edk2-platforms-51547bb879f66d3b4e46d69c112047d39dc234cc.tar.xz | |
Remove the complex buffer since the _LOCK_VARIABLE won't be allowed after leaving DXE phase.
Add the variable name size check in the RequestToLock wrapper.
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14377 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c')
| -rw-r--r-- | MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c index 865b9ad1a4..e7b10149fb 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c @@ -186,6 +186,7 @@ VariableLockRequestToLock ( )
{
EFI_STATUS Status;
+ UINTN VariableNameSize;
UINTN PayloadSize;
SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
@@ -193,13 +194,22 @@ VariableLockRequestToLock ( return EFI_INVALID_PARAMETER;
}
+ VariableNameSize = StrSize (VariableName);
+
+ //
+ // If VariableName exceeds SMM payload limit. Return failure
+ //
+ if (VariableNameSize > mVariableBufferPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
AcquireLockOnlyAtBootTime(&mVariableServicesLock);
//
// Init the communicate buffer. The buffer data size is:
// SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.
//
- PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + StrSize (VariableName);
+ PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE, Name) + VariableNameSize;
Status = InitCommunicateBuffer ((VOID **) &VariableToLock, PayloadSize, SMM_VARIABLE_FUNCTION_LOCK_VARIABLE);
if (EFI_ERROR (Status)) {
goto Done;
@@ -207,7 +217,7 @@ VariableLockRequestToLock ( ASSERT (VariableToLock != NULL);
CopyGuid (&VariableToLock->Guid, VendorGuid);
- VariableToLock->NameSize = StrSize (VariableName);
+ VariableToLock->NameSize = VariableNameSize;
CopyMem (VariableToLock->Name, VariableName, VariableToLock->NameSize);
//
|