From 894d038a8d0e99d456042e2b6d1554c4a406ea70 Mon Sep 17 00:00:00 2001 From: vanjeff Date: Mon, 29 Jun 2009 09:19:25 +0000 Subject: [PATCH] add security check. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@8680 6f19259b-4bc3-4df7-8a09-765794883524 --- MdeModulePkg/Library/DxeNetLib/DxeNetLib.c | 3 +++ MdeModulePkg/Library/DxeNetLib/NetBuffer.c | 4 +++- .../Universal/Network/ArpDxe/ArpImpl.c | 18 +++++++++++------- .../Universal/Network/Dhcp4Dxe/Dhcp4Impl.c | 5 +++-- .../Universal/Network/Dhcp4Dxe/Dhcp4Option.c | 5 +++-- .../Universal/Network/IScsiDxe/IScsiCHAP.c | 5 ++--- .../Universal/Network/IScsiDxe/IScsiMisc.c | 5 ++++- .../Network/Ip4ConfigDxe/Ip4ConfigNv.c | 2 ++ MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c | 4 ++-- .../Universal/Network/Ip4Dxe/Ip4Igmp.c | 5 ++++- .../Universal/Network/Ip4Dxe/Ip4Impl.c | 6 +++++- .../Universal/Network/Ip4Dxe/Ip4Input.c | 6 +++++- .../Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c | 4 ++-- .../Network/Mtftp4Dxe/Mtftp4Support.c | 7 +++++-- .../Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c | 3 ++- MdeModulePkg/Universal/Network/SnpDxe/Snp.c | 4 ++-- .../Universal/Network/Tcp4Dxe/Tcp4Output.c | 7 +++++-- .../Universal/Network/Udp4Dxe/Udp4Impl.c | 3 ++- .../Universal/Network/Udp4Dxe/Udp4Main.c | 4 +++- .../Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c | 14 ++++++++++++-- .../Universal/Network/UefiPxeBcDxe/PxeBcImpl.c | 13 ++++++++----- .../Network/UefiPxeBcDxe/PxeBcSupport.c | 3 ++- 22 files changed, 90 insertions(+), 40 deletions(-) diff --git a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c index 8bf2cbd3b6..32c81c17b7 100644 --- a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c +++ b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c @@ -1286,6 +1286,9 @@ NetLibDefaultAddressIsStatic ( // Construct config request string header // ConfigHdr = HiiConstructConfigHdr (&gEfiNicIp4ConfigVariableGuid, EFI_NIC_IP4_CONFIG_VARIABLE, Controller); + if (ConfigHdr == NULL) { + return TRUE; + } Len = StrLen (ConfigHdr); ConfigResp = AllocateZeroPool ((Len + NIC_ITEM_CONFIG_SIZE * 2 + 100) * sizeof (CHAR16)); diff --git a/MdeModulePkg/Library/DxeNetLib/NetBuffer.c b/MdeModulePkg/Library/DxeNetLib/NetBuffer.c index 61d49087e9..3fbb6094a5 100644 --- a/MdeModulePkg/Library/DxeNetLib/NetBuffer.c +++ b/MdeModulePkg/Library/DxeNetLib/NetBuffer.c @@ -1,7 +1,7 @@ /** @file Network library functions providing net buffer operation support. -Copyright (c) 2005 - 2006, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1506,6 +1506,8 @@ NetbufQueCopy ( Cur += Nbuf->TotalSize; } + ASSERT (Nbuf != NULL); + // // Copy the data in the first buffer. // diff --git a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c index d42937ef34..aa4707294b 100644 --- a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c +++ b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file The implementation of the ARP protocol. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at
@@ -1083,6 +1083,7 @@ ArpSendFrame ( Packet = AllocatePool (TotalLength); if (Packet == NULL) { DEBUG ((EFI_D_ERROR, "ArpSendFrame: Allocate memory for Packet failed.\n")); + ASSERT (Packet != NULL); } TmpPtr = Packet; @@ -1451,6 +1452,7 @@ ArpFindCacheEntry ( UINT32 FoundCount; EFI_ARP_FIND_DATA *FindData; LIST_ENTRY *CacheTable; + UINT32 FoundEntryLength; ArpService = Instance->ArpService; @@ -1567,12 +1569,14 @@ ArpFindCacheEntry ( goto CLEAN_EXIT; } + // + // Found the entry length, make sure its 8 bytes alignment. + // + FoundEntryLength = (((sizeof (EFI_ARP_FIND_DATA) + Instance->ConfigData.SwAddressLength + + ArpService->SnpMode.HwAddressSize) + 3) & ~(0x3)); + if (EntryLength != NULL) { - // - // Return the entry length, make sure its 8 bytes alignment. - // - *EntryLength = (((sizeof (EFI_ARP_FIND_DATA) + Instance->ConfigData.SwAddressLength + - ArpService->SnpMode.HwAddressSize) + 3) & ~(0x3)); + *EntryLength = FoundEntryLength; } if (EntryCount != NULL) { @@ -1589,7 +1593,7 @@ ArpFindCacheEntry ( // // Allocate buffer to copy the found entries. // - FindData = AllocatePool (FoundCount * (*EntryLength)); + FindData = AllocatePool (FoundCount * FoundEntryLength); if (FindData == NULL) { DEBUG ((EFI_D_ERROR, "ArpFindCacheEntry: Failed to allocate memory.\n")); Status = EFI_OUT_OF_RESOURCES; diff --git a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c index f2c2100d36..6d82230457 100644 --- a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c +++ b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c @@ -1,7 +1,7 @@ /** @file This file implement the EFI_DHCP4_PROTOCOL interface. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1313,12 +1313,13 @@ PxeDhcpInput ( // Len = NET_ROUNDUP (sizeof (EFI_DHCP4_PACKET) + UdpPacket->TotalSize - sizeof (EFI_DHCP4_HEADER), 4); Wrap = NetbufAlloc (Len); - if (Wrap == NULL) { goto RESTART; } Packet = (EFI_DHCP4_PACKET *) NetbufAllocSpace (Wrap, Len, NET_BUF_TAIL); + ASSERT (Packet != NULL); + Packet->Size = Len; Head = &Packet->Dhcp4.Header; Packet->Length = NetbufCopy (UdpPacket, 0, UdpPacket->TotalSize, (UINT8 *) Head); diff --git a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c index e49e1e44f9..11b8978b40 100644 --- a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c +++ b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c @@ -1,7 +1,7 @@ /** @file Function to validate, parse, process the DHCP options. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -668,8 +668,8 @@ DhcpValidateOptions ( } AllOption = NULL; - Status = DhcpParseOption (Packet, &Count, &AllOption); + Status = DhcpParseOption (Packet, &Count, &AllOption); if (EFI_ERROR (Status) || (Count == 0)) { return Status; } @@ -679,6 +679,7 @@ DhcpValidateOptions ( for (Index = 0; Index < Count; Index++) { Option = &AllOption[Index]; + ASSERT (Option != NULL); // // Find the format of the option then validate it. diff --git a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c index b0e09d8002..dc6567498f 100644 --- a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c +++ b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c @@ -1,7 +1,7 @@ /** @file This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. -Copyright (c) 2004 - 2008, Intel Corporation.
+Copyright (c) 2004 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -165,8 +165,7 @@ IScsiCHAPOnRspReceived ( // KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len); if (KeyValueList == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; + return EFI_OUT_OF_RESOURCES; } Status = EFI_PROTOCOL_ERROR; diff --git a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c index 5275638d13..9eff1850be 100644 --- a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c +++ b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c @@ -1,7 +1,7 @@ /** @file Miscellaneous routines for iSCSI driver. -Copyright (c) 2004 - 2008, Intel Corporation.
+Copyright (c) 2004 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -744,6 +744,9 @@ IScsiGetTcpConnDevicePath ( // Duplicate it. // DevicePath = DuplicateDevicePath (DevicePath); + if (DevicePath == NULL) { + return NULL; + } DPathNode = (EFI_DEV_PATH *) DevicePath; diff --git a/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c b/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c index b7de203881..a5b7c93ebe 100644 --- a/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c +++ b/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c @@ -736,6 +736,8 @@ Ip4FormCallback ( case KEY_SAVE_CHANGES: Ip4ConfigInstance = Private->Current->Ip4ConfigInstance; NicInfo = AllocateZeroPool (sizeof (NIC_IP4_CONFIG_INFO) + 2 * sizeof (EFI_IP4_ROUTE_TABLE)); + ASSERT (NicInfo != NULL); + NicInfo->Ip4Info.RouteTable = (EFI_IP4_ROUTE_TABLE *) (NicInfo + 1); if (!Private->Current->SessionConfigData.Enabled) { diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c index 9cb7147312..dd2674d224 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c @@ -1,7 +1,7 @@ /** @file Implement IP4 pesudo interface. -Copyright (c) 2005 - 2007, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -582,7 +582,7 @@ Ip4SetAddress ( Type = NetGetIpClass (IpAddr); Len = NetGetMaskLength (SubnetMask); - Netmask = gIp4AllMasks[MIN (Len, Type << 3)]; + Netmask = gIp4AllMasks[MIN ((Len - 1), Type << 3)]; Interface->NetBrdcast = (IpAddr | ~Netmask); // diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c index 9b201c2eae..7b56a6664c 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c @@ -1,7 +1,7 @@ /** @file This file implements the RFC2236: IGMP v2. -Copyright (c) 2005 - 2006, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -192,6 +192,9 @@ Ip4SendIgmpMessage ( NetbufReserve (Packet, IP4_MAX_HEADLEN); Igmp = (IGMP_HEAD *) NetbufAllocSpace (Packet, sizeof (IGMP_HEAD), FALSE); + if (Igmp == NULL) { + return EFI_OUT_OF_RESOURCES; + } Igmp->Type = Type; Igmp->MaxRespTime = 0; diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c index 362e084a7c..84a39656f6 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c @@ -1,6 +1,6 @@ /** @file -Copyright (c) 2005 - 2007, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1314,6 +1314,10 @@ Ip4Groups ( // host byte order // if (JoinFlag) { + // + // When JoinFlag is TRUE, GroupAddress shouldn't be NULL. + // + ASSERT (GroupAddress != NULL); CopyMem (&Group, GroupAddress, sizeof (IP4_ADDR)); for (Index = 0; Index < IpInstance->GroupCount; Index++) { diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c index 0f4948d46a..964fb96a79 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file IP4 input process. -Copyright (c) 2005 - 2007, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -265,6 +265,10 @@ Ip4Reassemble ( InsertHeadList (&Table->Bucket[Index], &Assemble->Link); } + // + // Assemble shouldn't be NULL here + // + ASSERT (Assemble != NULL); // // Find the point to insert the packet: before the first diff --git a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c index 3f64bf05d9..f5b6bbc887 100644 --- a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c +++ b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c @@ -1,7 +1,7 @@ /** @file Routines to process Rrq (download). -Copyright (c) 2006 - 2007, Intel Corporation
+Copyright (c) 2006 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -99,7 +99,6 @@ Mtftp4RrqSendAck ( NET_BUF *Packet; Packet = NetbufAlloc (sizeof (EFI_MTFTP4_ACK_HEADER)); - if (Packet == NULL) { return EFI_OUT_OF_RESOURCES; } @@ -109,6 +108,7 @@ Mtftp4RrqSendAck ( sizeof (EFI_MTFTP4_ACK_HEADER), FALSE ); + ASSERT (Ack != NULL); Ack->Ack.OpCode = HTONS (EFI_MTFTP4_OPCODE_ACK); Ack->Ack.Block[0] = HTONS (BlkNo); diff --git a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c index be3c8c95f6..5c8516f630 100644 --- a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c +++ b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c @@ -1,7 +1,7 @@ /** @file Support routines for Mtftp. -Copyright (c) 2006 - 2007, Intel Corporation
+Copyright (c) 2006 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -291,6 +291,8 @@ Mtftp4SendRequest ( } Packet = (EFI_MTFTP4_PACKET *) NetbufAllocSpace (Nbuf, Len, FALSE); + ASSERT (Packet != NULL); + Packet->OpCode = HTONS (Instance->Operation); Cur = Packet->Rrq.Filename; Cur = (UINT8 *) AsciiStrCpy ((CHAR8 *) Cur, (CHAR8 *) Token->Filename); @@ -335,12 +337,13 @@ Mtftp4SendError ( Len = (UINT32) (AsciiStrLen ((CHAR8 *) ErrInfo) + sizeof (EFI_MTFTP4_ERROR_HEADER)); Packet = NetbufAlloc (Len); - if (Packet == NULL) { return EFI_OUT_OF_RESOURCES; } TftpError = (EFI_MTFTP4_PACKET *) NetbufAllocSpace (Packet, Len, FALSE); + ASSERT (TftpError != NULL); + TftpError->OpCode = HTONS (EFI_MTFTP4_OPCODE_ERROR); TftpError->Error.ErrorCode = HTONS (ErrCode); diff --git a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c index cb39da48c8..872b2953c2 100644 --- a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c +++ b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c @@ -1,7 +1,7 @@ /** @file Routines to process Wrq (upload). -Copyright (c) 2006, Intel Corporation
+Copyright (c) 2006 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -52,6 +52,7 @@ Mtftp4WrqSendBlock ( } Packet = (EFI_MTFTP4_PACKET *) NetbufAllocSpace (UdpPacket, MTFTP4_DATA_HEAD_LEN, FALSE); + ASSERT (Packet != NULL); Packet->Data.OpCode = HTONS (EFI_MTFTP4_OPCODE_DATA); Packet->Data.Block = HTONS (BlockNum); diff --git a/MdeModulePkg/Universal/Network/SnpDxe/Snp.c b/MdeModulePkg/Universal/Network/SnpDxe/Snp.c index 7e98baa8eb..213b724e5f 100644 --- a/MdeModulePkg/Universal/Network/SnpDxe/Snp.c +++ b/MdeModulePkg/Universal/Network/SnpDxe/Snp.c @@ -1,5 +1,5 @@ /** @file - Implementation of driver entry point and driver binding protocol. + Implementation of driver entry point and driver binding protocol. Copyright (c) 2004 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed @@ -860,7 +860,7 @@ AddV2P ( } *V2p = AllocatePool (sizeof (V2P)); - if (*V2p != NULL) { + if (*V2p == NULL) { return EFI_OUT_OF_RESOURCES; } diff --git a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c index c9a1f6b106..956385a914 100644 --- a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c +++ b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c @@ -1,7 +1,7 @@ /** @file TCP output process routines. -Copyright (c) 2005 - 2006, Intel Corporation
+Copyright (c) 2005 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -445,7 +445,9 @@ TcpGetSegmentSndQue ( } } - ASSERT (Cur != Head); + ASSERT (Cur != Head); + ASSERT (Node != NULL); + ASSERT (Seg != NULL); // // Return the buffer if it can be returned without @@ -750,6 +752,7 @@ SEND_AGAIN: Len = TcpDataToSend (Tcb, Force); Seq = Tcb->SndNxt; + ASSERT ((Tcb->State) < (sizeof (mTcpOutFlag) / sizeof (mTcpOutFlag[0]))); Flag = mTcpOutFlag[Tcb->State]; if ((Flag & TCP_FLG_SYN) != 0) { diff --git a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c index 0440f1558d..0f14021e23 100644 --- a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c +++ b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c @@ -1,7 +1,7 @@ /** @file The implementation of the Udp4 protocol. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1718,6 +1718,7 @@ Udp4SendPortUnreach ( // Allocate space for the IP4_ICMP_ERROR_HEAD. // IcmpErrHdr = (IP4_ICMP_ERROR_HEAD *) NetbufAllocSpace (Packet, Len, FALSE); + ASSERT (IcmpErrHdr != NULL); // // Set the required fields for the icmp port unreachable message. diff --git a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c index a787ec440f..f3ff95463c 100644 --- a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c +++ b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c @@ -1,6 +1,6 @@ /** @file -Copyright (c) 2006 - 2007, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -576,6 +576,8 @@ Udp4Transmit ( *((UINTN *) &Packet->ProtoData[0]) = (UINTN) (Udp4Service->IpIo); Udp4Header = (EFI_UDP4_HEADER *) NetbufAllocSpace (Packet, UDP4_HEADER_SIZE, TRUE); + ASSERT (Udp4Header != NULL); + ConfigData = &Instance->ConfigData; // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index ad7d139cf7..9b5080f15d 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -274,6 +274,7 @@ PxeBcTryBinl ( PXEBC_CACHED_DHCP4_PACKET *CachedPacket; EFI_DHCP4_PACKET *Reply; + ASSERT (Index < PXEBC_MAX_OFFER_NUM); ASSERT (Private->Dhcp4Offers[Index].OfferType == DHCP4_PACKET_TYPE_BINL); Offer = &Private->Dhcp4Offers[Index].Packet.Offer; @@ -560,6 +561,7 @@ PxeBcCacheDhcpOffer ( } OfferType = CachedOffer->OfferType; + ASSERT (OfferType < DHCP4_PACKET_TYPE_MAX); if (OfferType == DHCP4_PACKET_TYPE_BOOTP) { @@ -603,6 +605,7 @@ PxeBcCacheDhcpOffer ( // // It's a dhcp offer with your address. // + ASSERT (Private->ServerCount[OfferType] < PXEBC_MAX_OFFER_NUM); Private->OfferIndex[OfferType][Private->ServerCount[OfferType]] = Private->NumOffers; Private->ServerCount[OfferType]++; } @@ -1119,6 +1122,7 @@ PxeBcDiscvBootService ( EFI_DHCP4_HEADER *DhcpHeader; UINT32 Xid; + ASSERT (IsDiscv && (Layer != NULL)); Mode = Private->PxeBc.Mode; Dhcp4 = Private->Dhcp4; @@ -1717,15 +1721,21 @@ PxeBcSelectBootMenu ( MenuSize = VendorOpt->BootMenuLen; MenuItem = VendorOpt->BootMenu; + if (MenuSize == 0) { + return EFI_NOT_READY; + } + while (MenuSize > 0) { MenuArray[Index] = MenuItem; MenuSize = (UINT8) (MenuSize - (MenuItem->DescLen + 3)); MenuItem = (PXEBC_BOOT_MENU_ENTRY *) ((UINT8 *) MenuItem + MenuItem->DescLen + 3); - Index++; + if (Index++ > (PXEBC_MAX_MENU_NUM - 1)) { + break; + } } if (UseDefaultItem) { - CopyMem (Type, &MenuArray[0]->Type, sizeof (UINT16)); + *Type = MenuArray[0]->Type; *Type = NTOHS (*Type); return EFI_SUCCESS; } diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c index 15444c1083..663d4a0202 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c @@ -1432,6 +1432,8 @@ CheckIpByFilter ( return TRUE; } + ASSERT (PxeBcMode->IpFilter.IpCnt < EFI_PXE_BASE_CODE_MAX_IPCNT); + for (Index = 0; Index < PxeBcMode->IpFilter.IpCnt; Index++) { CopyMem ( &Ip4Address, @@ -1755,20 +1757,20 @@ EfiPxeBcSetIpFilter ( BOOLEAN PromiscuousNeed; if (This == NULL) { - DEBUG ((EFI_D_ERROR, "BC *This pointer == NULL.\n")); + DEBUG ((EFI_D_ERROR, "This == NULL.\n")); return EFI_INVALID_PARAMETER; } Private = PXEBC_PRIVATE_DATA_FROM_PXEBC (This); Mode = Private->PxeBc.Mode; - if (Private == NULL) { - DEBUG ((EFI_D_ERROR, "PXEBC_PRIVATE_DATA poiner == NULL.\n")); + if (NewFilter == NULL) { + DEBUG ((EFI_D_ERROR, "NewFilter == NULL.\n")); return EFI_INVALID_PARAMETER; } - if (NewFilter == NULL) { - DEBUG ((EFI_D_ERROR, "IP Filter *NewFilter == NULL.\n")); + if (NewFilter->IpCnt > EFI_PXE_BASE_CODE_MAX_IPCNT) { + DEBUG ((EFI_D_ERROR, "NewFilter->IpCnt > %d.\n", EFI_PXE_BASE_CODE_MAX_IPCNT)); return EFI_INVALID_PARAMETER; } @@ -1778,6 +1780,7 @@ EfiPxeBcSetIpFilter ( } PromiscuousNeed = FALSE; + for (Index = 0; Index < NewFilter->IpCnt; ++Index) { if (IP4_IS_LOCAL_BROADCAST (EFI_IP4 (NewFilter->IpList[Index].v4))) { // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c index 9327f62067..087c2619aa 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c @@ -250,9 +250,10 @@ CvtNum ( { UINTN Remainder; - while (Length-- > 0) { + while (Length > 0) { Remainder = Number % 10; Number /= 10; + Length--; Buffer[Length] = (UINT8) ('0' + Remainder); } } -- 2.39.2