OvmfPkg/SecureBootConfigDxe: Avoid illegal access

When enrolling the certificate from a file, the suffix check function
check the last 4 characters to filter out non-DER files. However,
if the length of the file name is less than 4, the address prior to
the file name will be accessed while it shouldn't. This commit checks
the length of the file name to avoid illegal access.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14556 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c b/OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c
index c82c0f4f954877728151e4868b5d7e8359c3bf8e..928740a7ba3636814a50a5d1800e40a716bf7fef 100644 (file)
--- a/OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -373,6 +373,7 @@ EnrollPlatformKey (
   UINTN                           DataSize;\r
   EFI_SIGNATURE_LIST              *PkCert;\r
   UINT16*                         FilePostFix;\r
+  UINTN                           NameLength;\r
   \r
   if (Private->FileContext->FileName == NULL) {\r
     return EFI_INVALID_PARAMETER;\r
@@ -383,7 +384,11 @@ EnrollPlatformKey (
   //\r
   // Parse the file's postfix. Only support DER encoded X.509 certificate files.\r
   //\r
-  FilePostFix = Private->FileContext->FileName + StrLen (Private->FileContext->FileName) - 4;\r
+  NameLength = StrLen (Private->FileContext->FileName);\r
+  if (NameLength <= 4) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+  FilePostFix = Private->FileContext->FileName + NameLength - 4;\r
   if (!IsDerEncodeCertificate(FilePostFix)) {\r
     DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded certificate (%s) is supported.", mSupportX509Suffix));\r
     return EFI_INVALID_PARAMETER;\r
@@ -766,6 +771,7 @@ EnrollKeyExchangeKey (
   ) \r
 {\r
   UINT16*     FilePostFix;\r
+  UINTN       NameLength;\r
   \r
   if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {\r
     return EFI_INVALID_PARAMETER;\r
@@ -775,7 +781,11 @@ EnrollKeyExchangeKey (
   // Parse the file's postfix. Supports DER-encoded X509 certificate, \r
   // and .pbk as RSA public key file.\r
   //\r
-  FilePostFix = Private->FileContext->FileName + StrLen (Private->FileContext->FileName) - 4;\r
+  NameLength = StrLen (Private->FileContext->FileName);\r
+  if (NameLength <= 4) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+  FilePostFix = Private->FileContext->FileName + NameLength - 4;\r
   if (IsDerEncodeCertificate(FilePostFix)) {\r
     return EnrollX509ToKek (Private);\r
   } else if (CompareMem (FilePostFix, L".pbk",4) == 0) {\r
@@ -1508,6 +1518,7 @@ EnrollSignatureDatabase (
   ) \r
 {\r
   UINT16*      FilePostFix;\r
+  UINTN        NameLength;\r
 \r
   if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {\r
     return EFI_INVALID_PARAMETER;\r
@@ -1516,7 +1527,11 @@ EnrollSignatureDatabase (
   //\r
   // Parse the file's postfix. \r
   //\r
-  FilePostFix = Private->FileContext->FileName + StrLen (Private->FileContext->FileName) - 4;\r
+  NameLength = StrLen (Private->FileContext->FileName);\r
+  if (NameLength <= 4) {\r
+    return EFI_INVALID_PARAMETER;\r
+  }\r
+  FilePostFix = Private->FileContext->FileName + NameLength - 4;\r
   if (IsDerEncodeCertificate(FilePostFix)) {\r
     //\r
     // Supports DER-encoded X509 certificate.\r