Add code to check boot option variable before use it

[mirror_edk2.git] / IntelFrameworkModulePkg / Library / GenericBdsLib / BdsMisc.c

diff --git a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c
index 881f4dc0025226937fa0bd3afa925ad8213370fa..9993e4b19d4bdfcfc242c45af99ecd43d2f2bfc2 100644 (file)
--- a/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c
+++ b/IntelFrameworkModulePkg/Library/GenericBdsLib/BdsMisc.c
@@ -1,7 +1,7 @@
 /** @file\r
   Misc BDS library function\r
 \r
-Copyright (c) 2004 - 2011, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2004 - 2012, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions of the BSD License\r
 which accompanies this distribution.  The full text of the license may be found at\r
@@ -257,6 +257,14 @@ BdsLibRegisterNewOption (
     if (OptionPtr == NULL) {\r
       continue;\r
     }\r
+\r
+    //\r
+    // Validate the variable.\r
+    //\r
+    if (!ValidateOption(OptionPtr, OptionSize)) {\r
+      continue;\r
+    }\r
+\r
     TempPtr         =   OptionPtr;\r
     TempPtr         +=  sizeof (UINT32) + sizeof (UINT16);\r
     Description     =   (CHAR16 *) TempPtr;\r
@@ -425,7 +433,7 @@ GetDevicePathSizeEx (
   Size = 0;\r
   while (!IsDevicePathEnd (DevicePath)) {\r
     NodeSize = DevicePathNodeLength (DevicePath);\r
-    if (NodeSize == 0) {\r
+    if (NodeSize < END_DEVICE_PATH_LENGTH) {\r
       return 0;\r
     }\r
     Size += NodeSize;\r
@@ -480,6 +488,100 @@ StrSizeEx (
   return (Length + 1) * sizeof (*String);\r
 }\r
 \r
+/**\r
+  Validate the EFI Boot#### variable (VendorGuid/Name)\r
+\r
+  @param  Variable              Boot#### variable data.\r
+  @param  VariableSize          Returns the size of the EFI variable that was read\r
+\r
+  @retval TRUE                  The variable data is correct.\r
+  @retval FALSE                 The variable data is corrupted.\r
+\r
+**/\r
+BOOLEAN \r
+ValidateOption (\r
+  UINT8                     *Variable,\r
+  UINTN                     VariableSize\r
+  )\r
+{\r
+  UINT16                    FilePathSize;\r
+  UINT8                     *TempPtr;\r
+  EFI_DEVICE_PATH_PROTOCOL  *DevicePath;\r
+  EFI_DEVICE_PATH_PROTOCOL  *TempPath;\r
+  UINTN                     TempSize;\r
+\r
+  //\r
+  // Skip the option attribute\r
+  //\r
+  TempPtr    = Variable;\r
+  TempPtr   += sizeof (UINT32);\r
+\r
+  //\r
+  // Get the option's device path size\r
+  //\r
+  FilePathSize  = *(UINT16 *) TempPtr;\r
+  TempPtr      += sizeof (UINT16);\r
+\r
+  //\r
+  // Get the option's description string size\r
+  //\r
+  TempSize = StrSizeEx ((CHAR16 *) TempPtr, VariableSize);\r
+  TempPtr += TempSize;\r
+\r
+  //\r
+  // Get the option's device path\r
+  //\r
+  DevicePath =  (EFI_DEVICE_PATH_PROTOCOL *) TempPtr;\r
+  TempPtr    += FilePathSize;\r
+\r
+  //\r
+  // Validation boot option variable.\r
+  //\r
+  if ((FilePathSize == 0) || (TempSize == 0)) {\r
+    return FALSE;\r
+  }\r
+\r
+  if (TempSize + FilePathSize + sizeof (UINT16) + sizeof (UINT16) > VariableSize) {\r
+    return FALSE;\r
+  }\r
+\r
+  TempPath = DevicePath;\r
+  while (FilePathSize > 0) {\r
+    TempSize = GetDevicePathSizeEx (TempPath, FilePathSize);\r
+    if (TempSize == 0) {\r
+      return FALSE;\r
+    }\r
+    FilePathSize = (UINT16) (FilePathSize - TempSize);\r
+    TempPath    += TempSize;\r
+  }\r
+\r
+  return TRUE;\r
+}\r
+\r
+/**\r
+  Convert a single character to number.\r
+  It assumes the input Char is in the scope of L'0' ~ L'9' and L'A' ~ L'F'\r
+  \r
+  @param Char    The input char which need to change to a hex number.\r
+  \r
+**/\r
+UINTN\r
+CharToUint (\r
+  IN CHAR16                           Char\r
+  )\r
+{\r
+  if ((Char >= L'0') && (Char <= L'9')) {\r
+    return (UINTN) (Char - L'0');\r
+  }\r
+\r
+  if ((Char >= L'A') && (Char <= L'F')) {\r
+    return (UINTN) (Char - L'A' + 0xA);\r
+  }\r
+\r
+  ASSERT (FALSE);\r
+  return 0;\r
+}\r
+\r
 /**\r
   Build the boot#### or driver#### option from the VariableName, the\r
   build boot#### or driver#### will also be linked to BdsCommonOptionList.\r
@@ -524,6 +626,14 @@ BdsLibVariableToOption (
   if (Variable == NULL) {\r
     return NULL;\r
   }\r
+\r
+  //\r
+  // Validate Boot#### variable data.\r
+  //\r
+  if (!ValidateOption(Variable, VariableSize)) {\r
+    return NULL;\r
+  }\r
+\r
   //\r
   // Notes: careful defined the variable of Boot#### or\r
   // Driver####, consider use some macro to abstract the code\r
@@ -613,11 +723,11 @@ BdsLibVariableToOption (
   // Unicode stream to ASCII without any loss in meaning.\r
   //\r
   if (*VariableName == 'B') {\r
-    NumOff = (UINT8) (sizeof (L"Boot") / sizeof(CHAR16) - 1);\r
-    Option->BootCurrent = (UINT16) ((VariableName[NumOff]  -'0') * 0x1000);\r
-    Option->BootCurrent = (UINT16) (Option->BootCurrent + ((VariableName[NumOff+1]-'0') * 0x100));\r
-    Option->BootCurrent = (UINT16) (Option->BootCurrent +  ((VariableName[NumOff+2]-'0') * 0x10));\r
-    Option->BootCurrent = (UINT16) (Option->BootCurrent + ((VariableName[NumOff+3]-'0')));\r
+    NumOff = (UINT8) (sizeof (L"Boot") / sizeof (CHAR16) - 1);\r
+    Option->BootCurrent = (UINT16) (CharToUint (VariableName[NumOff+0]) * 0x1000) \r
+               + (UINT16) (CharToUint (VariableName[NumOff+1]) * 0x100)\r
+               + (UINT16) (CharToUint (VariableName[NumOff+2]) * 0x10)\r
+               + (UINT16) (CharToUint (VariableName[NumOff+3]) * 0x1);\r
   }\r
   //\r
   // Insert active entry to BdsDeviceList\r