From 164a9b6752a63fca7d91ca0dcf84c0b4aa7a243d Mon Sep 17 00:00:00 2001 From: lzeng14 Date: Tue, 21 May 2013 02:22:02 +0000 Subject: Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input. Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14379 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'MdeModulePkg/Universal/FaultTolerantWriteDxe') diff --git a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c index 2580d478a3..2b3a63081d 100644 --- a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c +++ b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c @@ -372,7 +372,7 @@ SmmFaultTolerantWriteHandler ( UINTN CommBufferPayloadSize; UINTN PrivateDataSize; UINTN Length; - + UINTN TempCommBufferSize; // // If input is invalid, stop processing this SMI @@ -381,13 +381,15 @@ SmmFaultTolerantWriteHandler ( return EFI_SUCCESS; } - if (*CommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) { + TempCommBufferSize = *CommBufferSize; + + if (TempCommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) { DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } - CommBufferPayloadSize = *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE; + CommBufferPayloadSize = TempCommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE; - if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) { + if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) { DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer in SMRAM or overflow!\n")); return EFI_SUCCESS; } -- cgit v1.2.3