Hello all,
In the file PxeBcSupport.c of NetworkPkg there is
EFI_STATUS
PxeBcUdp4Write (
{
...
//
// Arrange one fragment buffer for data, and another fragment
buffer for header if has.
//
FragCount = (HeaderSize != NULL) ? 2 : 1;
...
TxData->FragmentTable[FragCount - 1].FragmentLength = (UINT32)
*BufferSize;
...
}
And similarly in
EFI_STATUS
PxeBcUdp6Write (
{
...
//
// Arrange one fragment buffer for data, and another fragment
buffer for header if has.
//
FragCount = (HeaderSize != NULL) ? 2 : 1;
...
TxData->FragmentTable[FragCount - 1].FragmentLength = (UINT32)
*BufferSize;
...
}
If HeaderSize is not NULL, then there is a chance of writing array over bounds
since FragmentTable is of single element.
///
/// Array of fragment descriptors.
///
EFI_UDP6_FRAGMENT_DATA FragmentTable[1];
Shouldn't we be taking care of this?
Regards,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
