ShellPkg: Fix buffer overflow issue in 'map' command.

This patch replace 'StrnCat' with 'StrnCatS' to avoid the buffer overflow in 'map.c'.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17387 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c b/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c
index 087daac54e4be97adec267eb6a0456cb0830896b..a41a5f1cf6c151bdb9fd30846d6a8342c948ebe8 100644 (file)
--- a/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c
+++ b/ShellPkg/Library/UefiShellLevel2CommandsLib/Map.c
@@ -2,7 +2,7 @@
   Main file for map shell level 2 command.\r
 \r
   (C) Copyright 2013-2015 Hewlett-Packard Development Company, L.P.<BR>\r
-  Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
+  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
   This program and the accompanying materials\r
   are licensed and made available under the terms and conditions of the BSD License\r
   which accompanies this distribution.  The full text of the license may be found at\r
@@ -224,6 +224,8 @@ MappingListHasType(
   )\r
 {\r
   CHAR16 *NewSpecific;\r
+  RETURN_STATUS  Status;\r
+  \r
   //\r
   // specific has priority\r
   //\r
@@ -233,7 +235,11 @@ MappingListHasType(
       return FALSE;\r
     }\r
     if (NewSpecific[StrLen(NewSpecific)-1] != L':') {\r
-      StrnCat(NewSpecific, L":", 2);\r
+      Status = StrnCatS(NewSpecific, (StrSize(Specific) + sizeof(CHAR16))/sizeof(CHAR16), L":", StrLen(L":"));\r
+      if (EFI_ERROR (Status)) {\r
+        FreePool(NewSpecific);\r
+        return FALSE;\r
+      }\r
     }\r
 \r
     if (SearchList(MapList, NewSpecific, NULL, TRUE, FALSE, L";")) {\r
@@ -875,13 +881,18 @@ AddMappingFromMapping(
   CONST EFI_DEVICE_PATH_PROTOCOL  *DevPath;\r
   EFI_STATUS                      Status;\r
   CHAR16                          *NewSName;\r
+  RETURN_STATUS                   StrRetStatus;\r
   \r
   NewSName = AllocateCopyPool(StrSize(SName) + sizeof(CHAR16), SName);\r
   if (NewSName == NULL) {\r
     return (SHELL_OUT_OF_RESOURCES);\r
   }\r
   if (NewSName[StrLen(NewSName)-1] != L':') {\r
-    StrnCat(NewSName, L":", 2);\r
+    StrRetStatus = StrnCatS(NewSName, (StrSize(SName) + sizeof(CHAR16))/sizeof(CHAR16), L":", StrLen(L":"));\r
+    if (EFI_ERROR(StrRetStatus)) {\r
+      FreePool(NewSName);\r
+      return ((SHELL_STATUS) (StrRetStatus & (~MAX_BIT)));\r
+    }\r
   }\r
 \r
   if (!IsNumberLetterOnly(NewSName, StrLen(NewSName)-1)) {\r
@@ -927,13 +938,18 @@ AddMappingFromHandle(
   EFI_DEVICE_PATH_PROTOCOL  *DevPath;\r
   EFI_STATUS                Status;\r
   CHAR16                    *NewSName;\r
+  RETURN_STATUS             StrRetStatus;\r
   \r
   NewSName = AllocateCopyPool(StrSize(SName) + sizeof(CHAR16), SName);\r
   if (NewSName == NULL) {\r
     return (SHELL_OUT_OF_RESOURCES);\r
   }\r
   if (NewSName[StrLen(NewSName)-1] != L':') {\r
-    StrnCat(NewSName, L":", 2);\r
+    StrRetStatus = StrnCatS(NewSName, (StrSize(SName) + sizeof(CHAR16))/sizeof(CHAR16), L":", StrLen(L":"));\r
+    if (EFI_ERROR(StrRetStatus)) {\r
+      FreePool(NewSName);\r
+      return ((SHELL_STATUS) (StrRetStatus & (~MAX_BIT)));\r
+    }\r
   }\r
 \r
   if (!IsNumberLetterOnly(NewSName, StrLen(NewSName)-1)) {\r