From nobody Sun May 19 19:10:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+99032+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+99032+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1674666195; cv=none; d=zohomail.com; s=zohoarc; b=AHUvb0HOP7ors2zDsnBj09vhZaeMs6wSMRZXwX7ngJzuzGT5fLqUcldVDduYzjACSAmV/rzIgiSXgAQaOquFzf1tKH1pzG0t+wpzUNQnSoHRtX7Vn/6jYX4Sg19LWgUUaaU4ZnIWIfchB5oFF1UEu8u90e19b9Suf8BFHHuu1zw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674666195; h=Content-Type:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=jrxhX2NsWjqDi61gMHreMQq6C1ToT86sGS9zVCqls48=; b=jBbyJZnSxb++3NKG8f+6b9jZv+FNJMNl59h2uJkgw1xcyP/qF/tHRSC3KVrjURzAzpT57yEksuAxqfATRodOECDM1dYKuBqqLblHXCxsWDVwEtXRcYV/1uySq9O0e0u2eGW/8OEnu9mTzbIlupDrBWHI3kfwudzsmeDbaipWKi4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+99032+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674666195591576.9068943900976; Wed, 25 Jan 2023 09:03:15 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id IwP5YY1788612xiRRgs7INjC; Wed, 25 Jan 2023 09:03:15 -0800 X-Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) by mx.groups.io with SMTP id smtpd.web10.45996.1674656601388812138 for ; Wed, 25 Jan 2023 06:23:21 -0800 X-Received: by mail-lj1-f177.google.com with SMTP id o12so1590957ljp.11 for ; Wed, 25 Jan 2023 06:23:21 -0800 (PST) X-Gm-Message-State: rdJbCgnA7r13YlBwXhs4u3U0x1787277AA= X-Google-Smtp-Source: AK7set/FU740gF23mU2L1M9Pv9nMrzSvAJgwZWYxbA7jDTa6o3rNWSYsY55IADldV3O07T6Yt2PH0tJ+ZQ0Ih1xkO/4= X-Received: by 2002:a2e:3309:0:b0:28e:3f4d:77b9 with SMTP id d9-20020a2e3309000000b0028e3f4d77b9mr33572ljc.50.1674656598761; Wed, 25 Jan 2023 06:23:18 -0800 (PST) MIME-Version: 1.0 From: houjingyi Date: Wed, 25 Jan 2023 22:23:07 +0800 Message-ID: Subject: [edk2-devel] [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in memcpy To: devel@edk2.groups.io Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,houjingyi647@gmail.com Content-Type: multipart/alternative; boundary="000000000000b0a49a05f3175fdb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674666195; bh=w7eKfPwhsWsPebQtWXgSZ3m1m6op1XYSufgeHSwm+WM=; h=Content-Type:Date:From:Reply-To:Subject:To; b=kNbG7c1vouhfhAlQjMi54j8w05LZb9IP3wq0cK9FMkMeP50lq78oRgzzAjJIOfld/p4 KA6eH4HOK1RnHEh63kc5dn9c0BFlJADS+MILIlPrzflS7nnL4XEGgeMuaswZ6WCkphjD5 geOvpejZ2VCw9zl+rvwi6D9jQGSOzs+/qNk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674666196864100001 Content-Transfer-Encoding: quoted-printable --000000000000b0a49a05f3175fdb MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RnJvbSAwNTQxOTI4ZTY2ZWIwMTgwMmE4NTViYmJhZTEyNWVmMGIwMjI1OWQ2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBob3VqaW5neWkyMzMgPGhvdWppbmd5aTY0N0BnbWFpbC5jb20+ CkRhdGU6IFdlZCwgMjUgSmFuIDIwMjMgMjI6MTE6MzEgKzA4MDAKU3ViamVjdDogW1BBVENIXSBS ZWRmaXNoUGtnL1JlZGZpc2hMaWI6IEF2b2lkIHBvc3NpYmxlIG92ZXJmbG93IGluIG1lbWNweQoK SXQgaXMgcG9zc2libGUgdGhhdCB3aGVuIHRoZSB0aGlyZCBhcmd1bWVudCBvZiB0aGUgbWVtY3B5 IGlzIHVuZXF1YWwKdG8gdGhlIGZpcnN0IGFyZ3VtZW50IG9mIG1hbGxvYyB3aWxsIGNhdXNlIG92 ZXJmbG93LCB3aGVuICsxIGluIG1hbGxvYwpjYXVzZSBpbnQgb3ZlcmZsb3cgbWFsbG9jIGEgdmVy eSBzbWFsbCBzaXplIG9mIG1lbW9yeSBhbmQgZm9sbG93ZWQgbWVtY3B5CndpbGwgY2F1c2UgaGVh cCBvdmVyZmxvdy4KClNpZ25lZC1vZmYtYnk6IGhvdWppbmd5aTIzMyA8aG91amluZ3lpNjQ3QGdt YWlsLmNvbT4KLS0tCiAuLi4vUmVkZmlzaExpYi9lZGsybGlicmVkZmlzaC9zcmMvcmVkcGF0aC5j ICAgICAgICAgICB8IDExICsrKysrKysrKysrCiAxIGZpbGUgY2hhbmdlZCwgMTEgaW5zZXJ0aW9u cygrKQoKZGlmZiAtLWdpdAphL1JlZGZpc2hQa2cvUHJpdmF0ZUxpYnJhcnkvUmVkZmlzaExpYi9l ZGsybGlicmVkZmlzaC9zcmMvcmVkcGF0aC5jCmIvUmVkZmlzaFBrZy9Qcml2YXRlTGlicmFyeS9S ZWRmaXNoTGliL2VkazJsaWJyZWRmaXNoL3NyYy9yZWRwYXRoLmMKaW5kZXggY2Y1YWI4NTE2NS4u YTE1MjM5MzhmNyAxMDA2NDQKLS0tIGEvUmVkZmlzaFBrZy9Qcml2YXRlTGlicmFyeS9SZWRmaXNo TGliL2VkazJsaWJyZWRmaXNoL3NyYy9yZWRwYXRoLmMKKysrIGIvUmVkZmlzaFBrZy9Qcml2YXRl TGlicmFyeS9SZWRmaXNoTGliL2VkazJsaWJyZWRmaXNoL3NyYy9yZWRwYXRoLmMKQEAgLTE3NSw2 ICsxNzUsMTAgQEAgcGFyc2VOb2RlICgKICAgICByZXR1cm47CiAgIH0KCisgIGlmICgob3BDaGFy cyAtIGluZGV4KSsxIDwgb3BDaGFycyAtIGluZGV4KSB7CisgICAgcmV0dXJuOworICB9CisKICAg bm9kZS0+bmV4dC0+cHJvcE5hbWUgPTNEIChjaGFyICopbWFsbG9jICgob3BDaGFycyAtIGluZGV4 KSsxKTsKICAgbWVtY3B5IChub2RlLT5uZXh0LT5wcm9wTmFtZSwgaW5kZXgsIChvcENoYXJzIC0g aW5kZXgpKTsKICAgbm9kZS0+bmV4dC0+cHJvcE5hbWVbKG9wQ2hhcnMgLSBpbmRleCldID0zRCAw OwpAQCAtMTg5LDYgKzE5Myw5IEBAIHBhcnNlTm9kZSAoCiAgICAgYnJlYWs7CiAgIH0KCisgIGlm ICh0bXBJbmRleCsxIDwgdG1wSW5kZXgpIHsKKyAgICByZXR1cm47CisgIH0KICAgbm9kZS0+bmV4 dC0+b3AgPTNEIChjaGFyICopbWFsbG9jICh0bXBJbmRleCsxKTsKICAgbWVtY3B5IChub2RlLT5u ZXh0LT5vcCwgb3BDaGFycywgdG1wSW5kZXgpOwogICBub2RlLT5uZXh0LT5vcFt0bXBJbmRleF0g PTNEIDA7CkBAIC0yMTcsNiArMjI0LDEwIEBAIGdldFN0cmluZ1RpbGwgKAogICAgIHJldHVybiBz dHJkdXAgKHN0cmluZyk7CiAgIH0KCisgIGlmICgoZW5kLXN0cmluZykrMSA8IGVuZC1zdHJpbmcp IHsKKyAgICByZXR1cm47CisgIH0KKwogICByZXQgPTNEIChjaGFyICopbWFsbG9jICgoZW5kLXN0 cmluZykrMSk7CiAgIG1lbWNweSAocmV0LCBzdHJpbmcsIChlbmQtc3RyaW5nKSk7CiAgIHJldFso ZW5kLXN0cmluZyldID0zRCAwOwotLT0yMAoyLjM3LjMKCgotPTNELT0zRC09M0QtPTNELT0zRC09 M0QtPTNELT0zRC09M0QtPTNELT0zRC0KR3JvdXBzLmlvIExpbmtzOiBZb3UgcmVjZWl2ZSBhbGwg bWVzc2FnZXMgc2VudCB0byB0aGlzIGdyb3VwLgpWaWV3L1JlcGx5IE9ubGluZSAoIzk5MDMyKTog aHR0cHM6Ly9lZGsyLmdyb3Vwcy5pby9nL2RldmVsL21lc3NhZ2UvOTkwMzIKTXV0ZSBUaGlzIFRv cGljOiBodHRwczovL2dyb3Vwcy5pby9tdC85NjUyNDcxNi8xNzg3Mjc3Ckdyb3VwIE93bmVyOiBk ZXZlbCtvd25lckBlZGsyLmdyb3Vwcy5pbwpVbnN1YnNjcmliZTogaHR0cHM6Ly9lZGsyLmdyb3Vw cy5pby9nL2RldmVsL3Vuc3ViIFtpbXBvcnRlckBwYXRjaGV3Lm9yZ10KLT0zRC09M0QtPTNELT0z RC09M0QtPTNELT0zRC09M0QtPTNELT0zRC09M0QtCgo= --000000000000b0a49a05f3175fdb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
From 0541928e66eb01802a855bbbae125ef0b02259d6 Mon Sep 17 0= 0:00:00 2001
From: houjingyi233 <houjingyi647@gmail.com>
Date: Wed, 25 Jan 2023 22:11:31 +08= 00
Subject: [PATCH] RedfishPkg/RedfishLib: Avoid possible overflow in me= mcpy

It is possible that when the third argument of the memcpy is un= equal
to the first argument of malloc will cause overflow, when +1 in ma= lloc
cause int overflow malloc a very small size of memory and followed = memcpy
will cause heap overflow.

Signed-off-by: houjingyi233 <= houjingyi647@gmail.com>---
=C2=A0.../RedfishLib/edk2libredfish/src/redpath.c =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 | 11 +++++++++++
=C2=A01 file changed, 11 insertions(+= )

diff --git a/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/s= rc/redpath.c b/RedfishPkg/PrivateLibrary/RedfishLib/edk2libredfish/src/redp= ath.c
index cf5ab85165..a1523938f7 100644
--- a/RedfishPkg/PrivateLib= rary/RedfishLib/edk2libredfish/src/redpath.c
+++ b/RedfishPkg/PrivateLib= rary/RedfishLib/edk2libredfish/src/redpath.c
@@ -175,6 +175,10 @@ parseN= ode (
=C2=A0 =C2=A0 =C2=A0return;
=C2=A0 =C2=A0}
=C2=A0
+ =C2= =A0if ((opChars - index)+1 < opChars - index) {
+ =C2=A0 =C2=A0return= ;
+ =C2=A0}
+
=C2=A0 =C2=A0node->next->propName =3D (char *)= malloc ((opChars - index)+1);
=C2=A0 =C2=A0memcpy (node->next->pro= pName, index, (opChars - index));
=C2=A0 =C2=A0node->next->propNam= e[(opChars - index)] =3D 0;
@@ -189,6 +193,9 @@ parseNode (
=C2=A0 = =C2=A0 =C2=A0break;
=C2=A0 =C2=A0}
=C2=A0
+ =C2=A0if (tmpIndex+1 &= lt; tmpIndex) {
+ =C2=A0 =C2=A0return;
+ =C2=A0}
=C2=A0 =C2=A0node= ->next->op =3D (char *)malloc (tmpIndex+1);
=C2=A0 =C2=A0memcpy (n= ode->next->op, opChars, tmpIndex);
=C2=A0 =C2=A0node->next->= op[tmpIndex] =3D 0;
@@ -217,6 +224,10 @@ getStringTill (
=C2=A0 =C2= =A0 =C2=A0return strdup (string);
=C2=A0 =C2=A0}
=C2=A0
+ =C2=A0if= ((end-string)+1 < end-string) {
+ =C2=A0 =C2=A0return;
+ =C2=A0}<= br>+
=C2=A0 =C2=A0ret =3D (char *)malloc ((end-string)+1);
=C2=A0 =C2= =A0memcpy (ret, string, (end-string));
=C2=A0 =C2=A0ret[(end-string)] = =3D 0;
--
2.37.3

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

= View/Reply Online (#99032) | =20 | Mute = This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [importer@patchew.org]

_._,_._,_
--000000000000b0a49a05f3175fdb--