Skip to content

Commit b3a2f7f

Browse files
santhoshVenkat25mergify[bot]
santhoshVenkat25
authored and
mergify[bot]
committed
NetworkPkg/IScsiDxe:Fix for out of bound memory access for bz4207 (CVE-2024-38805)
In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . Signed-off-by: santhosh kumar V <[email protected]>
1 parent 607c58e commit b3a2f7f

File tree

1 file changed

+24
-5
lines changed

1 file changed

+24
-5
lines changed

NetworkPkg/IScsiDxe/IScsiProto.c

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList (
18801880
{
18811881
LIST_ENTRY *ListHead;
18821882
ISCSI_KEY_VALUE_PAIR *KeyValuePair;
1883+
EFI_STATUS Status;
1884+
UINT32 Result;
18831885

18841886
ListHead = AllocatePool (sizeof (LIST_ENTRY));
18851887
if (ListHead == NULL) {
@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList (
19031905
Data++;
19041906
}
19051907

1906-
if (*Data == '=') {
1908+
// Here Len must not be zero.
1909+
// The value of Len is size of data buffer. Actually, Data is make up of strings.
1910+
// AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0
1911+
// (1) Len == 0, *Data != '=' goto ON_ERROR
1912+
// (2) *Data == '=', Len != 0 normal case.
1913+
// (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error.
1914+
if ((Len > 0) && (*Data == '=')) {
19071915
*Data = '\0';
1908-
19091916
Data++;
19101917
Len--;
19111918
} else {
@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList (
19151922

19161923
KeyValuePair->Value = Data;
19171924

1918-
InsertTailList (ListHead, &KeyValuePair->List);
1925+
Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result);
1926+
if (EFI_ERROR (Status)) {
1927+
DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__));
1928+
FreePool (KeyValuePair);
1929+
goto ON_ERROR;
1930+
}
19191931

1920-
Data += AsciiStrLen (KeyValuePair->Value) + 1;
1921-
Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
1932+
Status = SafeUint32Sub (Len, Result, &Len);
1933+
if (EFI_ERROR (Status)) {
1934+
DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__));
1935+
FreePool (KeyValuePair);
1936+
goto ON_ERROR;
1937+
}
1938+
1939+
InsertTailList (ListHead, &KeyValuePair->List);
1940+
Data += Result;
19221941
}
19231942

19241943
return ListHead;

0 commit comments

Comments
 (0)