From nobody Sun May 19 18:35:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+99033+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+99033+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1674666197; cv=none; d=zohomail.com; s=zohoarc; b=kVROetYv04brdPWhYEzCgGZT3gP+xVGNPHVbXwV/JyOuFaB2cRHLthGO4BYD+ZWtbgNBHqfpKBuqlktXJ93JZ3gw3URRBuptTVpHcGpimlILlfOvHGFupr1YSoC22LSDmEgtT/JIebqqK6Z/UsdYfBFpdDO/aT9gcbVSxJOJyOA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674666197; h=Content-Type:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ClUgnOspthhrmKBdUy+mTz0zyMSZQ+ffPhAcD/5DdoI=; b=FsHoJLum8Yok8qhFCmSQPZDPOyKyHtmqYfy43RS5L5QXA57mQeUvuYO53VT6oiR8wHcTs/HXn1k131PijF2ObEJt9lFthfUiYF+7IhNwyHuxn9htyuhLTgBV6xzvOsg+7/H73YhI2xpTcgIM/b6FwHbh2Elj3eS9LNgmDWm/DCY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+99033+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674666197586327.07823238290723; Wed, 25 Jan 2023 09:03:17 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id TO68YY1788612xBVujgN8lda; Wed, 25 Jan 2023 09:03:16 -0800 X-Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mx.groups.io with SMTP id smtpd.web10.46260.1674657072306226012 for ; Wed, 25 Jan 2023 06:31:12 -0800 X-Received: by mail-lf1-f44.google.com with SMTP id y25so29210902lfa.9 for ; Wed, 25 Jan 2023 06:31:12 -0800 (PST) X-Gm-Message-State: O4w6Cv3MJP3CeAVNKcLx7uQcx1787277AA= X-Google-Smtp-Source: AMrXdXtkk0VSLXeoaO5jQbKt0b+C7tZGY6d2WTkF+ifLWZfUgABXNwBl53SUkfftIxoJ7U+eOkbZYmfpwi4AWYEjVFI= X-Received: by 2002:ac2:5f06:0:b0:4d2:7420:3a52 with SMTP id 6-20020ac25f06000000b004d274203a52mr2669654lfq.484.1674657070314; Wed, 25 Jan 2023 06:31:10 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "houjingyi" Date: Wed, 25 Jan 2023 22:30:58 +0800 Message-ID: Subject: [edk2-devel] [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy To: devel@edk2.groups.io Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,houjingyi647@gmail.com Content-Type: multipart/alternative; boundary="000000000000cbf8e705f3177b63" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674666196; bh=PAuSPk2E+BRfQ+Ico1MafCKHoH+QhCPzp3TcOGarwUk=; h=Content-Type:Date:From:Reply-To:Subject:To; b=aH6VD0CvaHm1PAdzbr7sP77PV2RZ1TQNSb5vjeZ3j4MBtrs4HSLa3C+hztA3zB4qSCa aHtF3s2+z4gHh7Ncf9Hf7flpKUnWZ6mxiKClRSQbUG5ZTOvM+c7kItYgW/vckYu99il9z ET+lQL5nHTZYF2QWdKfwsqPp10xYBfPht+g= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674666198873100007 Content-Transfer-Encoding: quoted-printable --000000000000cbf8e705f3177b63 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RnJvbSAwNTQxOTI4ZTY2ZWIwMTgwMmE4NTViYmJhZTEyNWVmMGIwMjI1OWQ2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBob3VqaW5neWkyMzMgPGhvdWppbmd5aTY0N0BnbWFpbC5jb20+ CkRhdGU6IFdlZCwgMjUgSmFuIDIwMjMgMjI6MTE6MzEgKzA4MDAKU3ViamVjdDogW1BBVENIXSBS ZWRmaXNoUGtnL1JlZGZpc2hMaWI6IEF2b2lkIHBvc3NpYmxlIG92ZXJmbG93IGluIG1lbWNweQoK SXQgaXMgcG9zc2libGUgdGhhdCB3aGVuIHRoZSB0aGlyZCBhcmd1bWVudCBvZiB0aGUgbWVtY3B5 IGlzIHVuZXF1YWwKdG8gdGhlIGZpcnN0IGFyZ3VtZW50IG9mIG1hbGxvYyB3aWxsIGNhdXNlIG92 ZXJmbG93LCB3aGVuICsxIGluIG1hbGxvYwpjYXVzZSBpbnQgb3ZlcmZsb3cgbWFsbG9jIGEgdmVy eSBzbWFsbCBzaXplIG9mIG1lbW9yeSBhbmQgZm9sbG93ZWQgbWVtY3B5CndpbGwgY2F1c2UgaGVh cCBvdmVyZmxvdy4KClNpZ25lZC1vZmYtYnk6IGhvdWppbmd5aTIzMyA8aG91amluZ3lpNjQ3QGdt YWlsLmNvbT4KLS0tCiAuLi4vUmVkZmlzaExpYi9lZGsybGlicmVkZmlzaC9zcmMvcmVkcGF0aC5j ICAgICAgICAgICB8IDExICsrKysrKysrKysrCiAxIGZpbGUgY2hhbmdlZCwgMTEgaW5zZXJ0aW9u cygrKQoKZGlmZiAtLWdpdAphL1JlZGZpc2hQa2cvUHJpdmF0ZUxpYnJhcnkvUmVkZmlzaExpYi9l ZGsybGlicmVkZmlzaC9zcmMvcmVkcGF0aC5jCmIvUmVkZmlzaFBrZy9Qcml2YXRlTGlicmFyeS9S ZWRmaXNoTGliL2VkazJsaWJyZWRmaXNoL3NyYy9yZWRwYXRoLmMKaW5kZXggY2Y1YWI4NTE2NS4u YTE1MjM5MzhmNyAxMDA2NDQKLS0tIGEvUmVkZmlzaFBrZy9Qcml2YXRlTGlicmFyeS9SZWRmaXNo TGliL2VkazJsaWJyZWRmaXNoL3NyYy9yZWRwYXRoLmMKKysrIGIvUmVkZmlzaFBrZy9Qcml2YXRl TGlicmFyeS9SZWRmaXNoTGliL2VkazJsaWJyZWRmaXNoL3NyYy9yZWRwYXRoLmMKQEAgLTE3NSw2 ICsxNzUsMTAgQEAgcGFyc2VOb2RlICgKICAgICByZXR1cm47CiAgIH0KCisgIGlmICgob3BDaGFy cyAtIGluZGV4KSsxIDwgb3BDaGFycyAtIGluZGV4KSB7CisgICAgcmV0dXJuOworICB9CisKICAg bm9kZS0+bmV4dC0+cHJvcE5hbWUgPTNEIChjaGFyICopbWFsbG9jICgob3BDaGFycyAtIGluZGV4 KSsxKTsKICAgbWVtY3B5IChub2RlLT5uZXh0LT5wcm9wTmFtZSwgaW5kZXgsIChvcENoYXJzIC0g aW5kZXgpKTsKICAgbm9kZS0+bmV4dC0+cHJvcE5hbWVbKG9wQ2hhcnMgLSBpbmRleCldID0zRCAw OwpAQCAtMTg5LDYgKzE5Myw5IEBAIHBhcnNlTm9kZSAoCiAgICAgYnJlYWs7CiAgIH0KCisgIGlm ICh0bXBJbmRleCsxIDwgdG1wSW5kZXgpIHsKKyAgICByZXR1cm47CisgIH0KICAgbm9kZS0+bmV4 dC0+b3AgPTNEIChjaGFyICopbWFsbG9jICh0bXBJbmRleCsxKTsKICAgbWVtY3B5IChub2RlLT5u ZXh0LT5vcCwgb3BDaGFycywgdG1wSW5kZXgpOwogICBub2RlLT5uZXh0LT5vcFt0bXBJbmRleF0g PTNEIDA7CkBAIC0yMTcsNiArMjI0LDEwIEBAIGdldFN0cmluZ1RpbGwgKAogICAgIHJldHVybiBz dHJkdXAgKHN0cmluZyk7CiAgIH0KCisgIGlmICgoZW5kLXN0cmluZykrMSA8IGVuZC1zdHJpbmcp IHsKKyAgICByZXR1cm47CisgIH0KKwogICByZXQgPTNEIChjaGFyICopbWFsbG9jICgoZW5kLXN0 cmluZykrMSk7CiAgIG1lbWNweSAocmV0LCBzdHJpbmcsIChlbmQtc3RyaW5nKSk7CiAgIHJldFso ZW5kLXN0cmluZyldID0zRCAwOwotLT0yMAoyLjM3LjMKCgotPTNELT0zRC09M0QtPTNELT0zRC09 M0QtPTNELT0zRC09M0QtPTNELT0zRC0KR3JvdXBzLmlvIExpbmtzOiBZb3UgcmVjZWl2ZSBhbGwg bWVzc2FnZXMgc2VudCB0byB0aGlzIGdyb3VwLgpWaWV3L1JlcGx5IE9ubGluZSAoIzk5MDMzKTog aHR0cHM6Ly9lZGsyLmdyb3Vwcy5pby9nL2RldmVsL21lc3NhZ2UvOTkwMzMKTXV0ZSBUaGlzIFRv cGljOiBodHRwczovL2dyb3Vwcy5pby9tdC85NjUyNDcxNi8xNzg3Mjc3Ckdyb3VwIE93bmVyOiBk ZXZlbCtvd25lckBlZGsyLmdyb3Vwcy5pbwpVbnN1YnNjcmliZTogaHR0cHM6Ly9lZGsyLmdyb3Vw cy5pby9nL2RldmVsL3Vuc3ViIFtpbXBvcnRlckBwYXRjaGV3Lm9yZ10KLT0zRC09M0QtPTNELT0z RC09M0QtPTNELT0zRC09M0QtPTNELT0zRC09M0QtCgo= --000000000000cbf8e705f3177b63 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
From 0541928e6= 6eb01802a855bbbae125ef0b02259d6 Mon Sep 17 00:00:00 2001
From: houjingyi= 233 <houjing= yi647@gmail.com>
Date: Wed, 25 Jan 2023 22:11:31 +0800
Subject= : [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy

I= t is possible that when the third argument of the memcpy is unequal
to t= he first argument of malloc will cause overflow, when +1 in malloc
cause= int overflow malloc a very small size of memory and followed memcpy
wil= l cause heap overflow.

Signed-off-by: houjingyi233 <houjingyi647@gmail.com&g= t;
---
=C2=A0.../RedfishLib/edk2libredfish/src/redpath.c =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 | 11 +++++++++++
=C2=A01 file changed, 11 inser= tions(+)

diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libre= dfish/src/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/s= rc/redpath.c
index cf5ab85165..a1523938f7 100644
--- a/RedfishPkg/Pri= vateLibrary/RedfishLib/edk2libredfish/src/redpath.c
+++ b/RedfishPkg/Pri= vateLibrary/RedfishLib/edk2libredfish/src/redpath.c
@@ -175,6 +175,10 @@= parseNode (
=C2=A0 =C2=A0 =C2=A0return;
=C2=A0 =C2=A0}
=C2=A0
= + =C2=A0if ((opChars - index)+1 < opChars - index) {
+ =C2=A0 =C2=A0r= eturn;
+ =C2=A0}
+
=C2=A0 =C2=A0node->next->propName =3D (ch= ar *)malloc ((opChars - index)+1);
=C2=A0 =C2=A0memcpy (node->next-&g= t;propName, index, (opChars - index));
=C2=A0 =C2=A0node->next->pr= opName[(opChars - index)] =3D 0;
@@ -189,6 +193,9 @@ parseNode (
=C2= =A0 =C2=A0 =C2=A0break;
=C2=A0 =C2=A0}
=C2=A0
+ =C2=A0if (tmpIndex= +1 < tmpIndex) {
+ =C2=A0 =C2=A0return;
+ =C2=A0}
=C2=A0 =C2=A0= node->next->op =3D (char *)malloc (tmpIndex+1);
=C2=A0 =C2=A0memcp= y (node->next->op, opChars, tmpIndex);
=C2=A0 =C2=A0node->next-= >op[tmpIndex] =3D 0;
@@ -217,6 +224,10 @@ getStringTill (
=C2=A0 = =C2=A0 =C2=A0return strdup (string);
=C2=A0 =C2=A0}
=C2=A0
+ =C2= =A0if ((end-string)+1 < end-string) {
+ =C2=A0 =C2=A0return;
+ =C2= =A0}
+
=C2=A0 =C2=A0ret =3D (char *)malloc ((end-string)+1);
=C2= =A0 =C2=A0memcpy (ret, string, (end-string));
=C2=A0 =C2=A0ret[(end-stri= ng)] =3D 0;
--
2.37.3

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

= View/Reply Online (#99033) | =20 | Mute = This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [importer@patchew.org]

_._,_._,_
--000000000000cbf8e705f3177b63--