From 56251c669f0f13d2ffc226cfd3a3d8c5f8269e7a Mon Sep 17 00:00:00 2001 From: czhang46 Date: Mon, 22 Apr 2013 08:52:58 +0000 Subject: Fix potential overflow for SetVariable interface Signed-off-by: Chao Zhang Reviewed-by : Guo Dong Reviewed-by : Siyuan Fu git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14305 6f19259b-4bc3-4df7-8a09-765794883524 --- SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c') diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 1595c8c206..ebe04b50f5 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -2664,14 +2664,20 @@ VariableServiceSetVariable ( PayloadSize = DataSize; } + if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){ + // + // Prevent whole variable size overflow + // + return EFI_INVALID_PARAMETER; + } + // // The size of the VariableName, including the Unicode Null in bytes plus // the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize) // bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others. // if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { - if ((PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize)) || - (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize))) { + if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) { return EFI_INVALID_PARAMETER; } if (!IsHwErrRecVariable(VariableName, VendorGuid)) { @@ -2682,8 +2688,7 @@ VariableServiceSetVariable ( // The size of the VariableName, including the Unicode Null in bytes plus // the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes. // - if ((PayloadSize > PcdGet32 (PcdMaxVariableSize)) || - (sizeof (VARIABLE_HEADER) + StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize))) { + if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) { return EFI_INVALID_PARAMETER; } } -- cgit v1.2.3