From 894d038a8d0e99d456042e2b6d1554c4a406ea70 Mon Sep 17 00:00:00 2001 From: vanjeff Date: Mon, 29 Jun 2009 09:19:25 +0000 Subject: add security check. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8680 6f19259b-4bc3-4df7-8a09-765794883524 --- MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c') diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index ad7d139cf7..9b5080f15d 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -274,6 +274,7 @@ PxeBcTryBinl ( PXEBC_CACHED_DHCP4_PACKET *CachedPacket; EFI_DHCP4_PACKET *Reply; + ASSERT (Index < PXEBC_MAX_OFFER_NUM); ASSERT (Private->Dhcp4Offers[Index].OfferType == DHCP4_PACKET_TYPE_BINL); Offer = &Private->Dhcp4Offers[Index].Packet.Offer; @@ -560,6 +561,7 @@ PxeBcCacheDhcpOffer ( } OfferType = CachedOffer->OfferType; + ASSERT (OfferType < DHCP4_PACKET_TYPE_MAX); if (OfferType == DHCP4_PACKET_TYPE_BOOTP) { @@ -603,6 +605,7 @@ PxeBcCacheDhcpOffer ( // // It's a dhcp offer with your address. // + ASSERT (Private->ServerCount[OfferType] < PXEBC_MAX_OFFER_NUM); Private->OfferIndex[OfferType][Private->ServerCount[OfferType]] = Private->NumOffers; Private->ServerCount[OfferType]++; } @@ -1119,6 +1122,7 @@ PxeBcDiscvBootService ( EFI_DHCP4_HEADER *DhcpHeader; UINT32 Xid; + ASSERT (IsDiscv && (Layer != NULL)); Mode = Private->PxeBc.Mode; Dhcp4 = Private->Dhcp4; @@ -1717,15 +1721,21 @@ PxeBcSelectBootMenu ( MenuSize = VendorOpt->BootMenuLen; MenuItem = VendorOpt->BootMenu; + if (MenuSize == 0) { + return EFI_NOT_READY; + } + while (MenuSize > 0) { MenuArray[Index] = MenuItem; MenuSize = (UINT8) (MenuSize - (MenuItem->DescLen + 3)); MenuItem = (PXEBC_BOOT_MENU_ENTRY *) ((UINT8 *) MenuItem + MenuItem->DescLen + 3); - Index++; + if (Index++ > (PXEBC_MAX_MENU_NUM - 1)) { + break; + } } if (UseDefaultItem) { - CopyMem (Type, &MenuArray[0]->Type, sizeof (UINT16)); + *Type = MenuArray[0]->Type; *Type = NTOHS (*Type); return EFI_SUCCESS; } -- cgit v1.2.3