IntelFrameworkModulePkg DeviceMngr: Potential read over memory boundary

This commit will resolve the issue brought by r17738.

String = AllocateCopyPool (BufferLen, L"MAC:");

The above using of AllocateCopyPool() will read contents out of the scope
of the constant string. Potential risk for the constant string allocated
at the boundary of memory region.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17933 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c
index 5da0d470a32dc6f7b8814a9ca8d07047721a697b..af2b18a047e524da3a1c2e32f76903b4909ea366 100644 (file)
--- a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c
+++ b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c
@@ -374,12 +374,13 @@ GetMacAddressString(
   // The size is the Number size + ":" size + Vlan size(\XXXX) + End\r
   //\r
   BufferLen = (4 + 2 * HwAddressSize + (HwAddressSize - 1) + 5 + 1) * sizeof (CHAR16);\r
-  String = AllocateCopyPool (BufferLen, L"MAC:");\r
+  String = AllocateZeroPool (BufferLen);\r
   if (String == NULL) {\r
     return FALSE;\r
   }\r
 \r
   *PBuffer = String;\r
+  StrCpyS (String, BufferLen / sizeof (CHAR16), L"MAC:");\r
   String += 4;\r
   \r
   //\r