Fix the TOCTOU issue of CommBufferSize itself for SMM communicate handler input.

[mirror_edk2.git] / MdeModulePkg / Universal / FaultTolerantWriteDxe / FaultTolerantWriteSmm.c

diff --git a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
index 2580d478a38c1fb493699e83a0e10a5acaffa67b..2b3a63081dce9af81762253591d4801873c91c81 100644 (file)
--- a/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
+++ b/MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.c
@@ -372,7 +372,7 @@ SmmFaultTolerantWriteHandler (
   UINTN                                            CommBufferPayloadSize;\r
   UINTN                                            PrivateDataSize;\r
   UINTN                                            Length;\r
-\r
+  UINTN                                            TempCommBufferSize;\r
 \r
   //\r
   // If input is invalid, stop processing this SMI\r
@@ -381,13 +381,15 @@ SmmFaultTolerantWriteHandler (
     return EFI_SUCCESS;\r
   }\r
 \r
-  if (*CommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {\r
+  TempCommBufferSize = *CommBufferSize;\r
+\r
+  if (TempCommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {\r
     DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer size invalid!\n"));\r
     return EFI_SUCCESS;\r
   }\r
-  CommBufferPayloadSize = *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;\r
+  CommBufferPayloadSize = TempCommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE;\r
 \r
-  if (!InternalIsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {\r
+  if (!InternalIsAddressValid ((UINTN)CommBuffer, TempCommBufferSize)) {\r
     DEBUG ((EFI_D_ERROR, "SmmFtwHandler: SMM communication buffer in SMRAM or overflow!\n"));\r
     return EFI_SUCCESS;\r
   }\r