NetworkPkg/IScsiDxe: fix potential integer overflow in IScsiBinToHex()

[mirror_edk2.git] / NetworkPkg / IScsiDxe / IScsiMisc.c

diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index b8fef3ff6f5a4d571a872825b58feb81b9c19dc1..42988e15cb06597d835a9e81ea1a4c83910a27cb 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -316,6 +316,7 @@ IScsiMacAddrToStr (
   @retval EFI_SUCCESS          The binary data is converted to the hexadecimal string\r
                                and the length of the string is updated.\r
   @retval EFI_BUFFER_TOO_SMALL The string is too small.\r
+  @retval EFI_BAD_BUFFER_SIZE  BinLength is too large for hex encoding.\r
   @retval EFI_INVALID_PARAMETER The IP string is malformatted.\r
 \r
 **/\r
@@ -327,18 +328,28 @@ IScsiBinToHex (
   IN OUT UINT32 *HexLength\r
   )\r
 {\r
-  UINTN Index;\r
+  UINT32 HexLengthMin;\r
+  UINT32 HexLengthProvided;\r
+  UINT32 Index;\r
 \r
   if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {\r
     return EFI_INVALID_PARAMETER;\r
   }\r
 \r
-  if (((*HexLength) - 3) < BinLength * 2) {\r
-    *HexLength = BinLength * 2 + 3;\r
+  //\r
+  // Safely calculate: HexLengthMin := BinLength * 2 + 3.\r
+  //\r
+  if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||\r
+      RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {\r
+    return EFI_BAD_BUFFER_SIZE;\r
+  }\r
+\r
+  HexLengthProvided = *HexLength;\r
+  *HexLength = HexLengthMin;\r
+  if (HexLengthProvided < HexLengthMin) {\r
     return EFI_BUFFER_TOO_SMALL;\r
   }\r
 \r
-  *HexLength = BinLength * 2 + 3;\r
   //\r
   // Prefix for Hex String.\r
   //\r