From c69055b8465a2c68d2d624883359e540ebb04709 Mon Sep 17 00:00:00 2001 From: Jeff Fan Date: Mon, 29 Jun 2009 09:19:25 +0000 Subject: [PATCH] add security check. --- MdeModulePkg/Library/DxeNetLib/DxeNetLib.c | 3 +++ MdeModulePkg/Library/DxeNetLib/NetBuffer.c | 4 +++- MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c | 18 +++++++++++------- MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c | 5 +++-- MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c | 5 +++-- MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c | 5 ++--- MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c | 5 ++++- .../Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c | 2 ++ MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c | 4 ++-- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c | 5 ++++- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c | 6 +++++- MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c | 6 +++++- MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c | 4 ++-- .../Universal/Network/Mtftp4Dxe/Mtftp4Support.c | 7 +++++-- MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c | 3 ++- MdeModulePkg/Universal/Network/SnpDxe/Snp.c | 4 ++-- MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c | 7 +++++-- MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c | 3 ++- MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c | 4 +++- .../Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c | 14 ++++++++++++-- .../Universal/Network/UefiPxeBcDxe/PxeBcImpl.c | 13 ++++++++----- .../Universal/Network/UefiPxeBcDxe/PxeBcSupport.c | 3 ++- 22 files changed, 90 insertions(+), 40 deletions(-) diff --git a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c index 8bf2cbd3b..32c81c17b 100644 --- a/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c +++ b/MdeModulePkg/Library/DxeNetLib/DxeNetLib.c @@ -1286,6 +1286,9 @@ NetLibDefaultAddressIsStatic ( // Construct config request string header // ConfigHdr = HiiConstructConfigHdr (&gEfiNicIp4ConfigVariableGuid, EFI_NIC_IP4_CONFIG_VARIABLE, Controller); + if (ConfigHdr == NULL) { + return TRUE; + } Len = StrLen (ConfigHdr); ConfigResp = AllocateZeroPool ((Len + NIC_ITEM_CONFIG_SIZE * 2 + 100) * sizeof (CHAR16)); diff --git a/MdeModulePkg/Library/DxeNetLib/NetBuffer.c b/MdeModulePkg/Library/DxeNetLib/NetBuffer.c index 61d49087e..3fbb6094a 100644 --- a/MdeModulePkg/Library/DxeNetLib/NetBuffer.c +++ b/MdeModulePkg/Library/DxeNetLib/NetBuffer.c @@ -1,7 +1,7 @@ /** @file Network library functions providing net buffer operation support. -Copyright (c) 2005 - 2006, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1506,6 +1506,8 @@ NetbufQueCopy ( Cur += Nbuf->TotalSize; } + ASSERT (Nbuf != NULL); + // // Copy the data in the first buffer. // diff --git a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c index d42937ef3..aa4707294 100644 --- a/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c +++ b/MdeModulePkg/Universal/Network/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file The implementation of the ARP protocol. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at
@@ -1083,6 +1083,7 @@ ArpSendFrame ( Packet = AllocatePool (TotalLength); if (Packet == NULL) { DEBUG ((EFI_D_ERROR, "ArpSendFrame: Allocate memory for Packet failed.\n")); + ASSERT (Packet != NULL); } TmpPtr = Packet; @@ -1451,6 +1452,7 @@ ArpFindCacheEntry ( UINT32 FoundCount; EFI_ARP_FIND_DATA *FindData; LIST_ENTRY *CacheTable; + UINT32 FoundEntryLength; ArpService = Instance->ArpService; @@ -1567,12 +1569,14 @@ ArpFindCacheEntry ( goto CLEAN_EXIT; } + // + // Found the entry length, make sure its 8 bytes alignment. + // + FoundEntryLength = (((sizeof (EFI_ARP_FIND_DATA) + Instance->ConfigData.SwAddressLength + + ArpService->SnpMode.HwAddressSize) + 3) & ~(0x3)); + if (EntryLength != NULL) { - // - // Return the entry length, make sure its 8 bytes alignment. - // - *EntryLength = (((sizeof (EFI_ARP_FIND_DATA) + Instance->ConfigData.SwAddressLength + - ArpService->SnpMode.HwAddressSize) + 3) & ~(0x3)); + *EntryLength = FoundEntryLength; } if (EntryCount != NULL) { @@ -1589,7 +1593,7 @@ ArpFindCacheEntry ( // // Allocate buffer to copy the found entries. // - FindData = AllocatePool (FoundCount * (*EntryLength)); + FindData = AllocatePool (FoundCount * FoundEntryLength); if (FindData == NULL) { DEBUG ((EFI_D_ERROR, "ArpFindCacheEntry: Failed to allocate memory.\n")); Status = EFI_OUT_OF_RESOURCES; diff --git a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c index f2c2100d3..6d8223045 100644 --- a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c +++ b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Impl.c @@ -1,7 +1,7 @@ /** @file This file implement the EFI_DHCP4_PROTOCOL interface. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1313,12 +1313,13 @@ PxeDhcpInput ( // Len = NET_ROUNDUP (sizeof (EFI_DHCP4_PACKET) + UdpPacket->TotalSize - sizeof (EFI_DHCP4_HEADER), 4); Wrap = NetbufAlloc (Len); - if (Wrap == NULL) { goto RESTART; } Packet = (EFI_DHCP4_PACKET *) NetbufAllocSpace (Wrap, Len, NET_BUF_TAIL); + ASSERT (Packet != NULL); + Packet->Size = Len; Head = &Packet->Dhcp4.Header; Packet->Length = NetbufCopy (UdpPacket, 0, UdpPacket->TotalSize, (UINT8 *) Head); diff --git a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c index e49e1e44f..11b8978b4 100644 --- a/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c +++ b/MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c @@ -1,7 +1,7 @@ /** @file Function to validate, parse, process the DHCP options. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -668,8 +668,8 @@ DhcpValidateOptions ( } AllOption = NULL; - Status = DhcpParseOption (Packet, &Count, &AllOption); + Status = DhcpParseOption (Packet, &Count, &AllOption); if (EFI_ERROR (Status) || (Count == 0)) { return Status; } @@ -679,6 +679,7 @@ DhcpValidateOptions ( for (Index = 0; Index < Count; Index++) { Option = &AllOption[Index]; + ASSERT (Option != NULL); // // Find the format of the option then validate it. diff --git a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c index b0e09d800..dc6567498 100644 --- a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c +++ b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiCHAP.c @@ -1,7 +1,7 @@ /** @file This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. -Copyright (c) 2004 - 2008, Intel Corporation.
+Copyright (c) 2004 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -165,8 +165,7 @@ IScsiCHAPOnRspReceived ( // KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len); if (KeyValueList == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; + return EFI_OUT_OF_RESOURCES; } Status = EFI_PROTOCOL_ERROR; diff --git a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c index 5275638d1..9eff1850b 100644 --- a/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c +++ b/MdeModulePkg/Universal/Network/IScsiDxe/IScsiMisc.c @@ -1,7 +1,7 @@ /** @file Miscellaneous routines for iSCSI driver. -Copyright (c) 2004 - 2008, Intel Corporation.
+Copyright (c) 2004 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -744,6 +744,9 @@ IScsiGetTcpConnDevicePath ( // Duplicate it. // DevicePath = DuplicateDevicePath (DevicePath); + if (DevicePath == NULL) { + return NULL; + } DPathNode = (EFI_DEV_PATH *) DevicePath; diff --git a/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c b/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c index b7de20388..a5b7c93eb 100644 --- a/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c +++ b/MdeModulePkg/Universal/Network/Ip4ConfigDxe/Ip4ConfigNv.c @@ -736,6 +736,8 @@ Ip4FormCallback ( case KEY_SAVE_CHANGES: Ip4ConfigInstance = Private->Current->Ip4ConfigInstance; NicInfo = AllocateZeroPool (sizeof (NIC_IP4_CONFIG_INFO) + 2 * sizeof (EFI_IP4_ROUTE_TABLE)); + ASSERT (NicInfo != NULL); + NicInfo->Ip4Info.RouteTable = (EFI_IP4_ROUTE_TABLE *) (NicInfo + 1); if (!Private->Current->SessionConfigData.Enabled) { diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c index 9cb714731..dd2674d22 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4If.c @@ -1,7 +1,7 @@ /** @file Implement IP4 pesudo interface. -Copyright (c) 2005 - 2007, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -582,7 +582,7 @@ Ip4SetAddress ( Type = NetGetIpClass (IpAddr); Len = NetGetMaskLength (SubnetMask); - Netmask = gIp4AllMasks[MIN (Len, Type << 3)]; + Netmask = gIp4AllMasks[MIN ((Len - 1), Type << 3)]; Interface->NetBrdcast = (IpAddr | ~Netmask); // diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c index 9b201c2ea..7b56a6664 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Igmp.c @@ -1,7 +1,7 @@ /** @file This file implements the RFC2236: IGMP v2. -Copyright (c) 2005 - 2006, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -192,6 +192,9 @@ Ip4SendIgmpMessage ( NetbufReserve (Packet, IP4_MAX_HEADLEN); Igmp = (IGMP_HEAD *) NetbufAllocSpace (Packet, sizeof (IGMP_HEAD), FALSE); + if (Igmp == NULL) { + return EFI_OUT_OF_RESOURCES; + } Igmp->Type = Type; Igmp->MaxRespTime = 0; diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c index 362e084a7..84a39656f 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Impl.c @@ -1,6 +1,6 @@ /** @file -Copyright (c) 2005 - 2007, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1314,6 +1314,10 @@ Ip4Groups ( // host byte order // if (JoinFlag) { + // + // When JoinFlag is TRUE, GroupAddress shouldn't be NULL. + // + ASSERT (GroupAddress != NULL); CopyMem (&Group, GroupAddress, sizeof (IP4_ADDR)); for (Index = 0; Index < IpInstance->GroupCount; Index++) { diff --git a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c index 0f4948d46..964fb96a7 100644 --- a/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c +++ b/MdeModulePkg/Universal/Network/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file IP4 input process. -Copyright (c) 2005 - 2007, Intel Corporation.
+Copyright (c) 2005 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -265,6 +265,10 @@ Ip4Reassemble ( InsertHeadList (&Table->Bucket[Index], &Assemble->Link); } + // + // Assemble shouldn't be NULL here + // + ASSERT (Assemble != NULL); // // Find the point to insert the packet: before the first diff --git a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c index 3f64bf05d..f5b6bbc88 100644 --- a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c +++ b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Rrq.c @@ -1,7 +1,7 @@ /** @file Routines to process Rrq (download). -Copyright (c) 2006 - 2007, Intel Corporation
+Copyright (c) 2006 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -99,7 +99,6 @@ Mtftp4RrqSendAck ( NET_BUF *Packet; Packet = NetbufAlloc (sizeof (EFI_MTFTP4_ACK_HEADER)); - if (Packet == NULL) { return EFI_OUT_OF_RESOURCES; } @@ -109,6 +108,7 @@ Mtftp4RrqSendAck ( sizeof (EFI_MTFTP4_ACK_HEADER), FALSE ); + ASSERT (Ack != NULL); Ack->Ack.OpCode = HTONS (EFI_MTFTP4_OPCODE_ACK); Ack->Ack.Block[0] = HTONS (BlkNo); diff --git a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c index be3c8c95f..5c8516f63 100644 --- a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c +++ b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Support.c @@ -1,7 +1,7 @@ /** @file Support routines for Mtftp. -Copyright (c) 2006 - 2007, Intel Corporation
+Copyright (c) 2006 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -291,6 +291,8 @@ Mtftp4SendRequest ( } Packet = (EFI_MTFTP4_PACKET *) NetbufAllocSpace (Nbuf, Len, FALSE); + ASSERT (Packet != NULL); + Packet->OpCode = HTONS (Instance->Operation); Cur = Packet->Rrq.Filename; Cur = (UINT8 *) AsciiStrCpy ((CHAR8 *) Cur, (CHAR8 *) Token->Filename); @@ -335,12 +337,13 @@ Mtftp4SendError ( Len = (UINT32) (AsciiStrLen ((CHAR8 *) ErrInfo) + sizeof (EFI_MTFTP4_ERROR_HEADER)); Packet = NetbufAlloc (Len); - if (Packet == NULL) { return EFI_OUT_OF_RESOURCES; } TftpError = (EFI_MTFTP4_PACKET *) NetbufAllocSpace (Packet, Len, FALSE); + ASSERT (TftpError != NULL); + TftpError->OpCode = HTONS (EFI_MTFTP4_OPCODE_ERROR); TftpError->Error.ErrorCode = HTONS (ErrCode); diff --git a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c index cb39da48c..872b2953c 100644 --- a/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c +++ b/MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Wrq.c @@ -1,7 +1,7 @@ /** @file Routines to process Wrq (upload). -Copyright (c) 2006, Intel Corporation
+Copyright (c) 2006 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -52,6 +52,7 @@ Mtftp4WrqSendBlock ( } Packet = (EFI_MTFTP4_PACKET *) NetbufAllocSpace (UdpPacket, MTFTP4_DATA_HEAD_LEN, FALSE); + ASSERT (Packet != NULL); Packet->Data.OpCode = HTONS (EFI_MTFTP4_OPCODE_DATA); Packet->Data.Block = HTONS (BlockNum); diff --git a/MdeModulePkg/Universal/Network/SnpDxe/Snp.c b/MdeModulePkg/Universal/Network/SnpDxe/Snp.c index 7e98baa8e..213b724e5 100644 --- a/MdeModulePkg/Universal/Network/SnpDxe/Snp.c +++ b/MdeModulePkg/Universal/Network/SnpDxe/Snp.c @@ -1,5 +1,5 @@ /** @file - Implementation of driver entry point and driver binding protocol. + Implementation of driver entry point and driver binding protocol. Copyright (c) 2004 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed @@ -860,7 +860,7 @@ AddV2P ( } *V2p = AllocatePool (sizeof (V2P)); - if (*V2p != NULL) { + if (*V2p == NULL) { return EFI_OUT_OF_RESOURCES; } diff --git a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c index c9a1f6b10..956385a91 100644 --- a/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c +++ b/MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Output.c @@ -1,7 +1,7 @@ /** @file TCP output process routines. -Copyright (c) 2005 - 2006, Intel Corporation
+Copyright (c) 2005 - 2009, Intel Corporation
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -445,7 +445,9 @@ TcpGetSegmentSndQue ( } } - ASSERT (Cur != Head); + ASSERT (Cur != Head); + ASSERT (Node != NULL); + ASSERT (Seg != NULL); // // Return the buffer if it can be returned without @@ -750,6 +752,7 @@ SEND_AGAIN: Len = TcpDataToSend (Tcb, Force); Seq = Tcb->SndNxt; + ASSERT ((Tcb->State) < (sizeof (mTcpOutFlag) / sizeof (mTcpOutFlag[0]))); Flag = mTcpOutFlag[Tcb->State]; if ((Flag & TCP_FLG_SYN) != 0) { diff --git a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c index 0440f1558..0f14021e2 100644 --- a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c +++ b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Impl.c @@ -1,7 +1,7 @@ /** @file The implementation of the Udp4 protocol. -Copyright (c) 2006 - 2008, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1718,6 +1718,7 @@ Udp4SendPortUnreach ( // Allocate space for the IP4_ICMP_ERROR_HEAD. // IcmpErrHdr = (IP4_ICMP_ERROR_HEAD *) NetbufAllocSpace (Packet, Len, FALSE); + ASSERT (IcmpErrHdr != NULL); // // Set the required fields for the icmp port unreachable message. diff --git a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c index a787ec440..f3ff95463 100644 --- a/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c +++ b/MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Main.c @@ -1,6 +1,6 @@ /** @file -Copyright (c) 2006 - 2007, Intel Corporation.
+Copyright (c) 2006 - 2009, Intel Corporation.
All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -576,6 +576,8 @@ Udp4Transmit ( *((UINTN *) &Packet->ProtoData[0]) = (UINTN) (Udp4Service->IpIo); Udp4Header = (EFI_UDP4_HEADER *) NetbufAllocSpace (Packet, UDP4_HEADER_SIZE, TRUE); + ASSERT (Udp4Header != NULL); + ConfigData = &Instance->ConfigData; // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c index ad7d139cf..9b5080f15 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcDhcp.c @@ -274,6 +274,7 @@ PxeBcTryBinl ( PXEBC_CACHED_DHCP4_PACKET *CachedPacket; EFI_DHCP4_PACKET *Reply; + ASSERT (Index < PXEBC_MAX_OFFER_NUM); ASSERT (Private->Dhcp4Offers[Index].OfferType == DHCP4_PACKET_TYPE_BINL); Offer = &Private->Dhcp4Offers[Index].Packet.Offer; @@ -560,6 +561,7 @@ PxeBcCacheDhcpOffer ( } OfferType = CachedOffer->OfferType; + ASSERT (OfferType < DHCP4_PACKET_TYPE_MAX); if (OfferType == DHCP4_PACKET_TYPE_BOOTP) { @@ -603,6 +605,7 @@ PxeBcCacheDhcpOffer ( // // It's a dhcp offer with your address. // + ASSERT (Private->ServerCount[OfferType] < PXEBC_MAX_OFFER_NUM); Private->OfferIndex[OfferType][Private->ServerCount[OfferType]] = Private->NumOffers; Private->ServerCount[OfferType]++; } @@ -1119,6 +1122,7 @@ PxeBcDiscvBootService ( EFI_DHCP4_HEADER *DhcpHeader; UINT32 Xid; + ASSERT (IsDiscv && (Layer != NULL)); Mode = Private->PxeBc.Mode; Dhcp4 = Private->Dhcp4; @@ -1717,15 +1721,21 @@ PxeBcSelectBootMenu ( MenuSize = VendorOpt->BootMenuLen; MenuItem = VendorOpt->BootMenu; + if (MenuSize == 0) { + return EFI_NOT_READY; + } + while (MenuSize > 0) { MenuArray[Index] = MenuItem; MenuSize = (UINT8) (MenuSize - (MenuItem->DescLen + 3)); MenuItem = (PXEBC_BOOT_MENU_ENTRY *) ((UINT8 *) MenuItem + MenuItem->DescLen + 3); - Index++; + if (Index++ > (PXEBC_MAX_MENU_NUM - 1)) { + break; + } } if (UseDefaultItem) { - CopyMem (Type, &MenuArray[0]->Type, sizeof (UINT16)); + *Type = MenuArray[0]->Type; *Type = NTOHS (*Type); return EFI_SUCCESS; } diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c index 15444c108..663d4a020 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcImpl.c @@ -1432,6 +1432,8 @@ CheckIpByFilter ( return TRUE; } + ASSERT (PxeBcMode->IpFilter.IpCnt < EFI_PXE_BASE_CODE_MAX_IPCNT); + for (Index = 0; Index < PxeBcMode->IpFilter.IpCnt; Index++) { CopyMem ( &Ip4Address, @@ -1755,20 +1757,20 @@ EfiPxeBcSetIpFilter ( BOOLEAN PromiscuousNeed; if (This == NULL) { - DEBUG ((EFI_D_ERROR, "BC *This pointer == NULL.\n")); + DEBUG ((EFI_D_ERROR, "This == NULL.\n")); return EFI_INVALID_PARAMETER; } Private = PXEBC_PRIVATE_DATA_FROM_PXEBC (This); Mode = Private->PxeBc.Mode; - if (Private == NULL) { - DEBUG ((EFI_D_ERROR, "PXEBC_PRIVATE_DATA poiner == NULL.\n")); + if (NewFilter == NULL) { + DEBUG ((EFI_D_ERROR, "NewFilter == NULL.\n")); return EFI_INVALID_PARAMETER; } - if (NewFilter == NULL) { - DEBUG ((EFI_D_ERROR, "IP Filter *NewFilter == NULL.\n")); + if (NewFilter->IpCnt > EFI_PXE_BASE_CODE_MAX_IPCNT) { + DEBUG ((EFI_D_ERROR, "NewFilter->IpCnt > %d.\n", EFI_PXE_BASE_CODE_MAX_IPCNT)); return EFI_INVALID_PARAMETER; } @@ -1778,6 +1780,7 @@ EfiPxeBcSetIpFilter ( } PromiscuousNeed = FALSE; + for (Index = 0; Index < NewFilter->IpCnt; ++Index) { if (IP4_IS_LOCAL_BROADCAST (EFI_IP4 (NewFilter->IpList[Index].v4))) { // diff --git a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c index 9327f6206..087c2619a 100644 --- a/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c +++ b/MdeModulePkg/Universal/Network/UefiPxeBcDxe/PxeBcSupport.c @@ -250,9 +250,10 @@ CvtNum ( { UINTN Remainder; - while (Length-- > 0) { + while (Length > 0) { Remainder = Number % 10; Number /= 10; + Length--; Buffer[Length] = (UINT8) ('0' + Remainder); } } -- 2.11.4.GIT