ShellPkg/map: Fix out-of-bound read when "map fsn"
authorRuiyu Ni <ruiyu.ni@intel.com>
Mon, 5 Feb 2018 05:49:32 +0000 (13:49 +0800)
committerRuiyu Ni <ruiyu.ni@intel.com>
Tue, 6 Feb 2018 09:31:16 +0000 (17:31 +0800)
The below code reads additional one CHAR16 when copying
content from Specific to NewSpecific.
NewSpecific = AllocateCopyPool(
                StrSize(Specific) + sizeof(CHAR16), Specific
                );

The patch fixes this issue.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c

index 3f5925f..9166ca2 100644 (file)
@@ -1,7 +1,7 @@
 /** @file\r
   Main file for map shell level 2 command.\r
 \r
-  Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
   (C) Copyright 2013-2015 Hewlett-Packard Development Company, L.P.<BR>\r
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
   \r
@@ -220,19 +220,25 @@ MappingListHasType(
   IN CONST BOOLEAN    Consist\r
   )\r
 {\r
-  CHAR16 *NewSpecific;\r
-  RETURN_STATUS  Status;\r
+  CHAR16              *NewSpecific;\r
+  RETURN_STATUS       Status;\r
+  UINTN               Length;\r
   \r
   //\r
   // specific has priority\r
   //\r
   if (Specific != NULL) {\r
-    NewSpecific = AllocateCopyPool(StrSize(Specific) + sizeof(CHAR16), Specific);\r
+    Length      = StrLen (Specific);\r
+    //\r
+    // Allocate enough buffer for Specific and potential ":"\r
+    //\r
+    NewSpecific = AllocatePool ((Length + 2) * sizeof(CHAR16));\r
     if (NewSpecific == NULL){\r
       return FALSE;\r
     }\r
-    if (NewSpecific[StrLen(NewSpecific)-1] != L':') {\r
-      Status = StrnCatS(NewSpecific, (StrSize(Specific) + sizeof(CHAR16))/sizeof(CHAR16), L":", StrLen(L":"));\r
+    StrCpyS (NewSpecific, Length + 2, Specific);\r
+    if (Specific[Length - 1] != L':') {\r
+      Status = StrnCatS(NewSpecific, Length + 2, L":", StrLen(L":"));\r
       if (EFI_ERROR (Status)) {\r
         FreePool(NewSpecific);\r
         return FALSE;\r