Hi Naveen,
Please feel free for the below coding, the array should never over bound since
the buffer has been allocated before using it.
FragCount = (HeaderSize != NULL) ? 2 : 1;
TxLength = sizeof (EFI_UDP6_TRANSMIT_DATA) + (FragCount - 1) * sizeof
(EFI_UDP6_FRAGMENT_DATA);
TxData = (EFI_UDP6_TRANSMIT_DATA *) AllocateZeroPool (TxLength);
Actually, you can treat it as pointer, and the allocated memory would be lost
since we have defined the FragmentCount.
Thanks,
Jiaxin
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Tuesday, April 11, 2017 4:06 PM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Array out of bounds write
> Importance: High
>
> Hello all,
>
> In the file PxeBcSupport.c of NetworkPkg there is
>
> EFI_STATUS
> PxeBcUdp4Write (
> {
> ...
> //
> // Arrange one fragment buffer for data, and another fragment
> buffer
> for header if has.
> //
> FragCount = (HeaderSize != NULL) ? 2 : 1;
> ...
> TxData->FragmentTable[FragCount - 1].FragmentLength = (UINT32)
> *BufferSize;
> ...
> }
>
> And similarly in
>
> EFI_STATUS
> PxeBcUdp6Write (
> {
> ...
> //
> // Arrange one fragment buffer for data, and another fragment
> buffer
> for header if has.
> //
> FragCount = (HeaderSize != NULL) ? 2 : 1;
> ...
> TxData->FragmentTable[FragCount - 1].FragmentLength = (UINT32)
> *BufferSize;
> ...
> }
>
> If HeaderSize is not NULL, then there is a chance of writing array over bounds
> since FragmentTable is of single element.
>
> ///
> /// Array of fragment descriptors.
> ///
> EFI_UDP6_FRAGMENT_DATA FragmentTable[1];
>
> Shouldn't we be taking care of this?
>
>
> Regards,
> Naveen
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
