SMM_FTW_GET_LAST_WRITE_HEADER *SmmFtwGetLastWriteHeader;\r
VOID *PrivateData;\r
EFI_HANDLE SmmFvbHandle;\r
+ UINTN InfoSize;\r
\r
- ASSERT (CommBuffer != NULL);\r
- ASSERT (CommBufferSize != NULL);\r
+\r
+ //\r
+ // If input is invalid, stop processing this SMI\r
+ //\r
+ if (CommBuffer == NULL || CommBufferSize == NULL) {\r
+ return EFI_SUCCESS;\r
+ }\r
+\r
+ if (*CommBufferSize < SMM_FTW_COMMUNICATE_HEADER_SIZE) {\r
+ return EFI_SUCCESS;\r
+ }\r
\r
if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) {\r
DEBUG ((EFI_D_ERROR, "SMM communication buffer size is in SMRAM!\n"));\r
SmmFtwFunctionHeader = (SMM_FTW_COMMUNICATE_FUNCTION_HEADER *)CommBuffer;\r
switch (SmmFtwFunctionHeader->Function) {\r
case FTW_FUNCTION_GET_MAX_BLOCK_SIZE:\r
- SmmGetMaxBlockSizeHeader = (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER *) SmmFtwFunctionHeader->Data; \r
+ SmmGetMaxBlockSizeHeader = (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER *) SmmFtwFunctionHeader->Data;\r
+ InfoSize = sizeof (SMM_FTW_GET_MAX_BLOCK_SIZE_HEADER);\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ //\r
+ if (InfoSize > *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE) {\r
+ DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ break;\r
+ }\r
+\r
Status = FtwGetMaxBlockSize (\r
&mFtwDevice->FtwInstance,\r
&SmmGetMaxBlockSizeHeader->BlockSize\r
\r
case FTW_FUNCTION_GET_LAST_WRITE:\r
SmmFtwGetLastWriteHeader = (SMM_FTW_GET_LAST_WRITE_HEADER *) SmmFtwFunctionHeader->Data;\r
- if (((UINT8*)SmmFtwGetLastWriteHeader->Data > (UINT8*)CommBuffer) && \r
- ((UINT8*)SmmFtwGetLastWriteHeader->Data + SmmFtwGetLastWriteHeader->PrivateDataSize <= (UINT8*)CommBuffer + (*CommBufferSize))) {\r
- Status = FtwGetLastWrite (\r
- &mFtwDevice->FtwInstance,\r
- &SmmFtwGetLastWriteHeader->CallerId,\r
- &SmmFtwGetLastWriteHeader->Lba,\r
- &SmmFtwGetLastWriteHeader->Offset,\r
- &SmmFtwGetLastWriteHeader->Length,\r
- &SmmFtwGetLastWriteHeader->PrivateDataSize,\r
- (VOID *)SmmFtwGetLastWriteHeader->Data,\r
- &SmmFtwGetLastWriteHeader->Complete\r
- );\r
- } else {\r
- Status = EFI_INVALID_PARAMETER;\r
+ InfoSize = OFFSET_OF (SMM_FTW_GET_LAST_WRITE_HEADER, Data) + SmmFtwGetLastWriteHeader->PrivateDataSize;\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ //\r
+ if (InfoSize > *CommBufferSize - SMM_FTW_COMMUNICATE_HEADER_SIZE) {\r
+ DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ break;\r
}\r
+\r
+ Status = FtwGetLastWrite (\r
+ &mFtwDevice->FtwInstance,\r
+ &SmmFtwGetLastWriteHeader->CallerId,\r
+ &SmmFtwGetLastWriteHeader->Lba,\r
+ &SmmFtwGetLastWriteHeader->Offset,\r
+ &SmmFtwGetLastWriteHeader->Length,\r
+ &SmmFtwGetLastWriteHeader->PrivateDataSize,\r
+ (VOID *)SmmFtwGetLastWriteHeader->Data,\r
+ &SmmFtwGetLastWriteHeader->Complete\r
+ );\r
break;\r
\r
default:\r