From a1360fa3de6dade1b9d204284356df52bc58e801 Mon Sep 17 00:00:00 2001 From: Jeff Fan Date: Thu, 14 Aug 2014 02:00:11 +0000 Subject: Use StrnCat instead of StrCat to avoid target buffer overflow. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jeff Fan Reviewed-by: Eric Dong git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15797 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Universal/BdsDxe/DeviceMngr/DeviceManager.c | 8 +++++--- IntelFrameworkModulePkg/Universal/BdsDxe/MemoryTest.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) (limited to 'IntelFrameworkModulePkg/Universal') diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c index 6a76c33f26..866df574f6 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c @@ -1,7 +1,7 @@ /** @file The platform device manager reference implementation -Copyright (c) 2004 - 2013, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2014, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1260,6 +1260,7 @@ CallDriverHealth ( LIST_ENTRY *Link; EFI_DEVICE_PATH_PROTOCOL *DriverDevicePath; BOOLEAN RebootRequired; + UINTN StringSize; Index = 0; DriverHealthInfo = NULL; @@ -1341,7 +1342,8 @@ CallDriverHealth ( // // Assume no line strings is longer than 512 bytes. // - String = (EFI_STRING) AllocateZeroPool (0x200); + StringSize = 0x200; + String = (EFI_STRING) AllocateZeroPool (StringSize); ASSERT (String != NULL); Status = DriverHealthGetDriverName (DriverHealthInfo->DriverHandle, &DriverName); @@ -1410,7 +1412,7 @@ CallDriverHealth ( } ASSERT (TmpString != NULL); - StrCat (String, TmpString); + StrnCat (String, TmpString, StringSize / sizeof (CHAR16) - StrLen (String) - 1); FreePool (TmpString); Token = HiiSetString (HiiHandle, 0, String, NULL); diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/MemoryTest.c b/IntelFrameworkModulePkg/Universal/BdsDxe/MemoryTest.c index 410d4f1db6..5a6fa78553 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/MemoryTest.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/MemoryTest.c @@ -1,7 +1,7 @@ /** @file Perform the platform memory test -Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2014, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -230,11 +230,13 @@ BdsMemoryTest ( EFI_GRAPHICS_OUTPUT_BLT_PIXEL Color; BOOLEAN IsFirstBoot; UINT32 TempData; + UINTN StrTotalMemorySize; ReturnStatus = EFI_SUCCESS; ZeroMem (&Key, sizeof (EFI_INPUT_KEY)); - Pos = AllocatePool (128); + StrTotalMemorySize = 128; + Pos = AllocateZeroPool (StrTotalMemorySize); if (Pos == NULL) { return ReturnStatus; @@ -322,7 +324,7 @@ BdsMemoryTest ( // // TmpStr size is 64, StrPercent is reserved to 16. // - StrCat (StrPercent, TmpStr); + StrnCat (StrPercent, TmpStr, sizeof (StrPercent) / sizeof (CHAR16) - StrLen (StrPercent) - 1); PrintXY (10, 10, NULL, NULL, StrPercent); FreePool (TmpStr); } @@ -382,11 +384,12 @@ Done: UnicodeValueToString (StrTotalMemory, COMMA_TYPE, TotalMemorySize, 0); if (StrTotalMemory[0] == L',') { StrTotalMemory++; + StrTotalMemorySize -= sizeof (CHAR16); } TmpStr = GetStringById (STRING_TOKEN (STR_MEM_TEST_COMPLETED)); if (TmpStr != NULL) { - StrCat (StrTotalMemory, TmpStr); + StrnCat (StrTotalMemory, TmpStr, StrTotalMemorySize / sizeof (CHAR16) - StrLen (StrTotalMemory) - 1); FreePool (TmpStr); } -- cgit v1.2.3