1. Patchew
  2. EDK2
  3. [edk2] [PATCH 00/17] BaseTools/C: Code refinements
  4. View patch

[edk2] [PATCH 11/17] BaseTools/GenFv: Add/refine boundary checks for strcpy/strcat calls

Hao Wu posted 17 patches 7 years ago
[edk2] [PATCH 11/17] BaseTools/GenFv: Add/refine boundary checks for strcpy/strcat calls
Posted by Hao Wu 7 years ago 
Add checks to ensure when the destination string buffer is of fixed
size, the strcpy/strcat functions calls will not access beyond the
boundary.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
---
 BaseTools/Source/C/GenFv/GenFvInternalLib.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/BaseTools/Source/C/GenFv/GenFvInternalLib.c b/BaseTools/Source/C/GenFv/GenFvInternalLib.c
index 2b80e7919b..fc1a7602ab 100644
--- a/BaseTools/Source/C/GenFv/GenFvInternalLib.c
+++ b/BaseTools/Source/C/GenFv/GenFvInternalLib.c
@@ -824,7 +824,11 @@ Returns:
   //
   // Construct Map file Name 
   //
-  strcpy (PeMapFileName, FileName);
+  if (strlen (FileName) >= MAX_LONG_FILE_PATH) {
+    return EFI_ABORTED;
+  }
+  strncpy (PeMapFileName, FileName, MAX_LONG_FILE_PATH - 1);
+  PeMapFileName[MAX_LONG_FILE_PATH - 1] = 0;
   
   //
   // Change '\\' to '/', unified path format.
@@ -861,7 +865,11 @@ Returns:
     Cptr --;
   }
 	*Cptr2 = '\0';
-	strcpy (KeyWord, Cptr + 1);
+  if (strlen (Cptr + 1) >= MAX_LINE_LEN) {
+    return EFI_ABORTED;
+  }
+  strncpy (KeyWord, Cptr + 1, MAX_LINE_LEN - 1);
+  KeyWord[MAX_LINE_LEN - 1] = 0;
 	*Cptr2 = '.';
 
   //
@@ -3534,7 +3542,12 @@ Returns:
           //
           // Construct the original efi file Name 
           //
-          strcpy (PeFileName, FileName);
+          if (strlen (FileName) >= MAX_LONG_FILE_PATH) {
+            Error (NULL, 0, 2000, "Invalid", "The file name %s is too long.", FileName);
+            return EFI_ABORTED;
+          }
+          strncpy (PeFileName, FileName, MAX_LONG_FILE_PATH - 1);
+          PeFileName[MAX_LONG_FILE_PATH - 1] = 0;
           Cptr = PeFileName + strlen (PeFileName);
           while (*Cptr != '.') {
             Cptr --;
@@ -3789,7 +3802,12 @@ Returns:
       //
       // Construct the original efi file name 
       //
-      strcpy (PeFileName, FileName);
+      if (strlen (FileName) >= MAX_LONG_FILE_PATH) {
+        Error (NULL, 0, 2000, "Invalid", "The file name %s is too long.", FileName);
+        return EFI_ABORTED;
+      }
+      strncpy (PeFileName, FileName, MAX_LONG_FILE_PATH - 1);
+      PeFileName[MAX_LONG_FILE_PATH - 1] = 0;
       Cptr = PeFileName + strlen (PeFileName);
       while (*Cptr != '.') {
         Cptr --;
-- 
2.12.0.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.