Hello all, In the file PxeBcSupport.c of NetworkPkg there is
EFI_STATUS PxeBcUdp4Write ( { ... // // Arrange one fragment buffer for data, and another fragment buffer for header if has. // FragCount = (HeaderSize != NULL) ? 2 : 1; ... TxData->FragmentTable[FragCount - 1].FragmentLength = (UINT32) *BufferSize; ... } And similarly in EFI_STATUS PxeBcUdp6Write ( { ... // // Arrange one fragment buffer for data, and another fragment buffer for header if has. // FragCount = (HeaderSize != NULL) ? 2 : 1; ... TxData->FragmentTable[FragCount - 1].FragmentLength = (UINT32) *BufferSize; ... } If HeaderSize is not NULL, then there is a chance of writing array over bounds since FragmentTable is of single element. /// /// Array of fragment descriptors. /// EFI_UDP6_FRAGMENT_DATA FragmentTable[1]; Shouldn't we be taking care of this? Regards, Naveen _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel