From patchwork Fri Jul 10 13:21:00 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leif Lindholm X-Patchwork-Id: 51035 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-wi0-f199.google.com (mail-wi0-f199.google.com [209.85.212.199]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 748BE228E5 for ; Fri, 10 Jul 2015 13:21:34 +0000 (UTC) Received: by wizo10 with SMTP id o10sf4770888wiz.0 for ; Fri, 10 Jul 2015 06:21:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:cc:subject :precedence:list-id:list-unsubscribe:list-archive:list-post :list-help:list-subscribe:mime-version:content-type :content-transfer-encoding:errors-to:x-original-sender :x-original-authentication-results:mailing-list; bh=7PPkZwn4mnAL103/nXBZd4rlmqK0Lu3+5F2hQYIGf8k=; b=MlCm8QdiHA0UJlMaSQpiyBlotToZd8LvS38kqLagop5AwQXY4b0RPrs5r77rzsUFuA RSrV0GT+/X9KENomT/aePD+HPfjtGys8r0gec8Zh2Wur+cFOKGUF2h/1Tbh/zu4tTE5T LA5fZ/Oa8NrAD77nqiPM5XbyNvOl5fxuAiDekHYYuhHbro0xh28UVqHLqVGg5svCHRtZ NDY2E3eqnzIbdOcy7lY9MZcm05x9U5jjd2KuaXoQiEOt0uEgTjRlk+agUc5x5DuJsSja 7Kzn++saJzwCamC6b/QSyE0AmxdhvVme3DHRP80i4t+W2uxLodYwCO5hXaJPtssy5xke 6fwA== X-Gm-Message-State: ALoCoQnZvPS5bONwQ2tpKIbbxNVmjiC5CCcsWD8HMMYqpo/NsJ7L0dSslLeudNOIgjjLuBqZkF0e X-Received: by 10.112.118.194 with SMTP id ko2mr10923263lbb.16.1436534493432; Fri, 10 Jul 2015 06:21:33 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.87.81 with SMTP id v17ls1357082laz.2.gmail; Fri, 10 Jul 2015 06:21:33 -0700 (PDT) X-Received: by 10.112.157.100 with SMTP id wl4mr19921448lbb.20.1436534493285; Fri, 10 Jul 2015 06:21:33 -0700 (PDT) Received: from mail-la0-f51.google.com (mail-la0-f51.google.com. [209.85.215.51]) by mx.google.com with ESMTPS id d17si7687850lbq.1.2015.07.10.06.21.33 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Jul 2015 06:21:33 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.51 as permitted sender) client-ip=209.85.215.51; Received: by lagx9 with SMTP id x9so265091020lag.1 for ; Fri, 10 Jul 2015 06:21:33 -0700 (PDT) X-Received: by 10.112.42.50 with SMTP id k18mr18261241lbl.76.1436534493192; Fri, 10 Jul 2015 06:21:33 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.108.230 with SMTP id hn6csp1390862lbb; Fri, 10 Jul 2015 06:21:32 -0700 (PDT) X-Received: by 10.50.43.230 with SMTP id z6mr3433967igl.64.1436534492263; Fri, 10 Jul 2015 06:21:32 -0700 (PDT) Received: from lists.sourceforge.net (lists.sourceforge.net. [216.34.181.88]) by mx.google.com with ESMTPS id o19si1443539igs.5.2015.07.10.06.21.31 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 10 Jul 2015 06:21:32 -0700 (PDT) Received-SPF: pass (google.com: domain of edk2-devel-bounces@lists.sourceforge.net designates 216.34.181.88 as permitted sender) client-ip=216.34.181.88; Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ZDYEx-0007pA-V6; Fri, 10 Jul 2015 13:21:19 +0000 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1ZDYEw-0007p5-CJ for edk2-devel@lists.sourceforge.net; Fri, 10 Jul 2015 13:21:18 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of linaro.org designates 209.85.212.177 as permitted sender) client-ip=209.85.212.177; envelope-from=leif.lindholm@linaro.org; helo=mail-wi0-f177.google.com; Received: from mail-wi0-f177.google.com ([209.85.212.177]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1ZDYEu-0002J3-5V for edk2-devel@lists.sourceforge.net; Fri, 10 Jul 2015 13:21:18 +0000 Received: by wiga1 with SMTP id a1so15346743wig.0 for ; Fri, 10 Jul 2015 06:21:10 -0700 (PDT) X-Received: by 10.195.13.113 with SMTP id ex17mr42709467wjd.17.1436534470123; Fri, 10 Jul 2015 06:21:10 -0700 (PDT) Received: from mohikan.mushroom.smurfnet.nu (cpc4-cmbg17-2-0-cust71.5-4.cable.virginm.net. [86.14.224.72]) by smtp.gmail.com with ESMTPSA id az1sm8330031wib.0.2015.07.10.06.21.08 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Jul 2015 06:21:09 -0700 (PDT) From: Leif Lindholm To: edk2-devel@lists.sourceforge.net Date: Fri, 10 Jul 2015 14:21:00 +0100 Message-Id: <1436534460-28856-1-git-send-email-leif.lindholm@linaro.org> X-Mailer: git-send-email 2.1.4 X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1ZDYEu-0002J3-5V Cc: linaro-uefi@lists.linaro.org Subject: [edk2] [PATCH] MdePkg: ensure SafeString length functions don't access beyond MaxSize X-BeenThere: edk2-devel@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Errors-To: edk2-devel-bounces@lists.sourceforge.net X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: leif.lindholm@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.51 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 The StrnLenS and AsciiStrnLenS functions, when presented with a string with no terminating NULL in the first MaxSize characters will check the character at String[MaxSize] before checking if Length < MaxSize. (They return the correct value, but have accessed beyond the stated limit in the process.) Flip the order of the tests to prevent this behaviour. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Leif Lindholm --- MdePkg/Library/BaseLib/SafeString.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdePkg/Library/BaseLib/SafeString.c b/MdePkg/Library/BaseLib/SafeString.c index 7c1b075..b0e1ce7 100644 --- a/MdePkg/Library/BaseLib/SafeString.c +++ b/MdePkg/Library/BaseLib/SafeString.c @@ -141,7 +141,7 @@ StrnLenS ( // String then StrnLenS returns MaxSize. At most the first MaxSize characters of String shall // be accessed by StrnLenS. // - for (Length = 0; (*String != 0) && (Length < MaxSize); String++, Length++) { + for (Length = 0; (Length < MaxSize) && (*String != 0); String++, Length++) { ; } return Length; @@ -551,7 +551,7 @@ AsciiStrnLenS ( // String then AsciiStrnLenS returns MaxSize. At most the first MaxSize characters of String shall // be accessed by AsciiStrnLenS. // - for (Length = 0; (*String != 0) && (Length < MaxSize); String++, Length++) { + for (Length = 0; (Length < MaxSize) && (*String != 0); String++, Length++) { ; } return Length;