On 07/30/13 11:23, Gary Ching-Pang Lin wrote:
> When enrolling the certificate from a file, the suffix check function
> check the last 4 characters to filter out non-DER files. However,
> if the length of the file name is less than 4, the address prior to
> the file name will be accessed while it shouldn't. This commit checks
> the length of the file name to avoid illegal access.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
> ---
> .../SecureBootConfigDxe/SecureBootConfigImpl.c | 21
> ++++++++++++++++++---
> 1 file changed, 18 insertions(+), 3 deletions(-)
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
>
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> index e8beecb..f5e899f 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> @@ -399,6 +399,7 @@ EnrollPlatformKey (
> UINTN DataSize;
> EFI_SIGNATURE_LIST *PkCert;
> UINT16* FilePostFix;
> + UINTN NameLength;
>
> if (Private->FileContext->FileName == NULL) {
> return EFI_INVALID_PARAMETER;
> @@ -414,7 +415,11 @@ EnrollPlatformKey (
> //
> // Parse the file's postfix. Only support DER encoded X.509 certificate
> files.
> //
> - FilePostFix = Private->FileContext->FileName + StrLen
> (Private->FileContext->FileName) - 4;
> + NameLength = StrLen (Private->FileContext->FileName);
> + if (NameLength <= 4) {
By including equality in this condition, you'll refuse a file named
'.DER'. Maybe that's a good thing, but technically '.DER' does end in
'.DER' :)
(This applies to all hunks in your series.)
Furthermore,
> + return EFI_INVALID_PARAMETER;
> + }
> + FilePostFix = Private->FileContext->FileName + NameLength - 4;
> if (!IsDerEncodeCertificate(FilePostFix)) {
> DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded
> certificate (%s) is supported.", mSupportX509Suffix));
> return EFI_INVALID_PARAMETER;
> @@ -802,6 +807,7 @@ EnrollKeyExchangeKey (
> )
> {
> UINT16* FilePostFix;
> + UINTN NameLength;
> EFI_STATUS Status;
>
> if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID ==
> NULL)) {
> @@ -817,7 +823,11 @@ EnrollKeyExchangeKey (
> // Parse the file's postfix. Supports DER-encoded X509 certificate,
> // and .pbk as RSA public key file.
> //
> - FilePostFix = Private->FileContext->FileName + StrLen
> (Private->FileContext->FileName) - 4;
> + NameLength = StrLen (Private->FileContext->FileName);
> + if (NameLength) {
I believe you forgot the "<= 4" (or, in my proposal, "< 4") part here.
Laszlo
> + return EFI_INVALID_PARAMETER;
> + }
> + FilePostFix = Private->FileContext->FileName + NameLength - 4;
> if (IsDerEncodeCertificate(FilePostFix)) {
> return EnrollX509ToKek (Private);
> } else if (CompareMem (FilePostFix, L".pbk",4) == 0) {
> @@ -1550,6 +1560,7 @@ EnrollSignatureDatabase (
> )
> {
> UINT16* FilePostFix;
> + UINTN NameLength;
> EFI_STATUS Status;
>
> if ((Private->FileContext->FileName == NULL) ||
> (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {
> @@ -1564,7 +1575,11 @@ EnrollSignatureDatabase (
> //
> // Parse the file's postfix.
> //
> - FilePostFix = Private->FileContext->FileName + StrLen
> (Private->FileContext->FileName) - 4;
> + NameLength = StrLen (Private->FileContext->FileName);
> + if (NameLength <= 4) {
> + return EFI_INVALID_PARAMETER;
> + }
> + FilePostFix = Private->FileContext->FileName + NameLength - 4;
> if (IsDerEncodeCertificate(FilePostFix)) {
> //
> // Supports DER-encoded X509 certificate.
>
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel
