From 4e33001c6ead8d8696cd22e1c194ab9c02dc8792 Mon Sep 17 00:00:00 2001 From: sfu5 Date: Wed, 9 May 2012 10:45:09 +0000 Subject: Fixes buffer read overflow bugs in authenticated variable driver. Signed-off-by: Fu Siyuan Reviewed-by: Dong Guo Reviewed-by: Ye Ting git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13298 6f19259b-4bc3-4df7-8a09-765794883524 --- SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 6d41de904b..784afae93b 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -1399,6 +1399,9 @@ ProcessVariable ( // Update public key database variable if need. // KeyIndex = AddPubKeyInStore (PubKey); + if (KeyIndex == 0) { + return EFI_SECURITY_VIOLATION; + } } // @@ -2179,7 +2182,7 @@ VerifyTimeBasedPayload ( CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr); Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); RootCert = Cert->SignatureData; - RootCertSize = CertList->SignatureSize; + RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1); // @@ -2224,7 +2227,7 @@ VerifyTimeBasedPayload ( // Iterate each Signature Data Node within this CertList for a verify // RootCert = Cert->SignatureData; - RootCertSize = CertList->SignatureSize; + RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1); // // Verify Pkcs7 SignedData via Pkcs7Verify library. -- cgit v1.2.3