From 56251c669f0f13d2ffc226cfd3a3d8c5f8269e7a Mon Sep 17 00:00:00 2001
From: czhang46 <czhang46@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Mon, 22 Apr 2013 08:52:58 +0000
Subject: Fix potential overflow for SetVariable interface

Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by  : Guo Dong   <dong.guo@intel.com>
Reviewed-by  : Siyuan Fu  <siyuan.fu@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14305 6f19259b-4bc3-4df7-8a09-765794883524
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c       | 13 +++++++++----
 .../Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c   |  7 +++++++
 2 files changed, 16 insertions(+), 4 deletions(-)

(limited to 'MdeModulePkg/Universal/Variable/RuntimeDxe')

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
index 956c1f2ae1..cd3f5ef475 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@@ -2218,14 +2218,20 @@ VariableServiceSetVariable (
     return EFI_INVALID_PARAMETER;
   }
 
+  if ((UINTN)(~0) - DataSize < StrSize(VariableName)){
+    //
+    // Prevent whole variable size overflow 
+    // 
+    return EFI_INVALID_PARAMETER;
+  }
+
   //
   //  The size of the VariableName, including the Unicode Null in bytes plus
   //  the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)
   //  bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.
   //
   if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
-    if ((DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) ||
-        (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) {
+    if ( StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {
       return EFI_INVALID_PARAMETER;
     }
     if (!IsHwErrRecVariable(VariableName, VendorGuid)) {
@@ -2236,8 +2242,7 @@ VariableServiceSetVariable (
     //  The size of the VariableName, including the Unicode Null in bytes plus
     //  the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.
     //
-    if ((DataSize > PcdGet32 (PcdMaxVariableSize)) ||
-        (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize))) {
+    if (StrSize (VariableName) + DataSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {
       return EFI_INVALID_PARAMETER;
     }  
   }
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
index b83f8c9f4b..4d60da1205 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -424,6 +424,13 @@ RuntimeServiceSetVariable (
     return EFI_INVALID_PARAMETER;
   }
 
+  if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {
+    //
+    // Prevent PayloadSize overflow
+    //
+    return EFI_INVALID_PARAMETER;
+  }
+
   AcquireLockOnlyAtBootTime(&mVariableServicesLock);
  
   //
-- 
cgit v1.2.3