diff options
author | Hao Wu <hao.a.wu@intel.com> | 2015-07-13 01:24:00 +0000 |
---|---|---|
committer | hwu1225 <hwu1225@Edk2> | 2015-07-13 01:24:00 +0000 |
commit | 2673ffb3561be2bc31bbf0a81801c0b88c5b7fbd (patch) | |
tree | bf7ed722610721ce51e615ca63b383aea006400f /IntelFrameworkModulePkg/Universal | |
parent | 577870d5603dca32d878e9908a7ec4d2852b590a (diff) | |
download | edk2-2673ffb3561be2bc31bbf0a81801c0b88c5b7fbd.zip edk2-2673ffb3561be2bc31bbf0a81801c0b88c5b7fbd.tar.gz edk2-2673ffb3561be2bc31bbf0a81801c0b88c5b7fbd.tar.bz2 |
IntelFrameworkModulePkg DeviceMngr: Potential read over memory boundary
This commit will resolve the issue brought by r17738.
String = AllocateCopyPool (BufferLen, L"MAC:");
The above using of AllocateCopyPool() will read contents out of the scope
of the constant string. Potential risk for the constant string allocated
at the boundary of memory region.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qiu Shumin <shumin.qiu@intel.com>
Reviewed-by: Jeff Fan <jeff.fan@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17933 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'IntelFrameworkModulePkg/Universal')
-rw-r--r-- | IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c index 5da0d47..af2b18a 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/DeviceMngr/DeviceManager.c @@ -374,12 +374,13 @@ GetMacAddressString( // The size is the Number size + ":" size + Vlan size(\XXXX) + End
//
BufferLen = (4 + 2 * HwAddressSize + (HwAddressSize - 1) + 5 + 1) * sizeof (CHAR16);
- String = AllocateCopyPool (BufferLen, L"MAC:");
+ String = AllocateZeroPool (BufferLen);
if (String == NULL) {
return FALSE;
}
*PBuffer = String;
+ StrCpyS (String, BufferLen / sizeof (CHAR16), L"MAC:");
String += 4;
//
|