Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.

[mirror_edk2.git] / MdeModulePkg / Universal / Acpi / FirmwarePerformanceDataTableSmm / FirmwarePerformanceSmm.c

diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
index f3472e26f3db70e3afadb5c7cb15395d3dff7011..9c5fd4db85a61ae2de20c3a4ac10732f20d38ef7 100644 (file)
--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
+++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
@@ -268,6 +268,7 @@ FpdtSmiHandler (
   SMM_BOOT_RECORD_COMMUNICATE  *SmmCommData;\r
   UINTN                        BootRecordSize;\r
   VOID                         *BootRecordData;\r
+  UINTN                        TempCommBufferSize;\r
 \r
   //\r
   // If input is invalid, stop processing this SMI\r
@@ -276,11 +277,13 @@ FpdtSmiHandler (
     return EFI_SUCCESS;\r
   }\r
 \r
-  if(*CommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {\r
+  TempCommBufferSize = *CommBufferSize;\r
+\r
+  if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {\r
     return EFI_SUCCESS;\r
   }\r
   \r
-  if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {\r
+  if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {\r
     DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n"));\r
     return EFI_SUCCESS;\r
   }\r