From 9d00d20ed40fb56d8b5a8e1a3f7ae3e491ceaf94 Mon Sep 17 00:00:00 2001
From: lzeng14 <lzeng14@6f19259b-4bc3-4df7-8a09-765794883524>
Date: Thu, 25 Apr 2013 10:49:45 +0000
Subject: 1. Use the check IsAddressValid() to prevent SMM communication buffer
 overflow in SmmVariable, FtwSmm, FpdtSmm, SmmCorePerformance and
 SmmBaseHelper, and add check to prevent InfoSize overflows in
 SmmVariableHandler. 2. Refine the debug message. 3. Add check to make sure
 the input VariableName is A Null-terminated string. 4. Use local variable to
 hold StrSize (VariableName) to avoid duplicated StrSize calculation.

Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14317 6f19259b-4bc3-4df7-8a09-765794883524
---
 MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'MdeModulePkg/Universal/LockBox')

diff --git a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
index e8b831e..7a0d6d2 100644
--- a/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
+++ b/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c
@@ -9,7 +9,7 @@
   SmmLockBoxHandler(), SmmLockBoxRestore(), SmmLockBoxUpdate(), SmmLockBoxSave()
   will receive untrusted input and do basic validation.
 
-Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>
 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions
@@ -125,7 +125,7 @@ SmmLockBoxSave (
   // Sanity check
   //
   if (!IsAddressValid ((UINTN)LockBoxParameterSave->Buffer, (UINTN)LockBoxParameterSave->Length)) {
-    DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM!\n"));
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Save address in SMRAM or buffer overflow!\n"));
     LockBoxParameterSave->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
     return ;
   }
@@ -203,7 +203,7 @@ SmmLockBoxUpdate (
   // Sanity check
   //
   if (!IsAddressValid ((UINTN)LockBoxParameterUpdate->Buffer, (UINTN)LockBoxParameterUpdate->Length)) {
-    DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM!\n"));
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Update address in SMRAM or buffer overflow!\n"));
     LockBoxParameterUpdate->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
     return ;
   }
@@ -241,7 +241,7 @@ SmmLockBoxRestore (
   // Sanity check
   //
   if (!IsAddressValid ((UINTN)LockBoxParameterRestore->Buffer, (UINTN)LockBoxParameterRestore->Length)) {
-    DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM!\n"));
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Restore address in SMRAM or buffer overflow!\n"));
     LockBoxParameterRestore->Header.ReturnStatus = (UINT64)EFI_ACCESS_DENIED;
     return ;
   }
@@ -320,7 +320,7 @@ SmmLockBoxHandler (
     return EFI_SUCCESS;
   }
   if (!IsAddressValid ((UINTN)CommBuffer, *CommBufferSize)) {
-    DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM!\n"));
+    DEBUG ((EFI_D_ERROR, "SmmLockBox Command Buffer in SMRAM or overflow!\n"));
     return EFI_SUCCESS;
   }
 
-- 
cgit v1.1