PUBLIC_REPOS
/
buildroot
kopia lustrzana git://git.buildroot.net/buildroot


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
							From 0a3b2a29b96b11fb858974044359c806c6b0a111 Mon Sep 17 00:00:00 2001
From: Santhosh Kumar V <santhoshkumarv@ami.com>
Date: Wed, 7 May 2025 18:53:30 +0530
Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for
 bz4207 (CVE-2024-38805)

In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len.
Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len .

Upstream: https://github.com/tianocore/edk2/commit/b3a2f7ff24e156e8c4d694fffff01e95a048c536
Signed-off-by: santhosh kumar V <santhoshkumarv@ami.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 NetworkPkg/IScsiDxe/IScsiProto.c | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
index ef587649a0..53a0ff801d 100644
--- a/NetworkPkg/IScsiDxe/IScsiProto.c
+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
@@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList (
 {
   LIST_ENTRY            *ListHead;
   ISCSI_KEY_VALUE_PAIR  *KeyValuePair;
+  EFI_STATUS            Status;
+  UINT32                Result;
 
   ListHead = AllocatePool (sizeof (LIST_ENTRY));
   if (ListHead == NULL) {
@@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList (
       Data++;
     }
 
-    if (*Data == '=') {
+    // Here Len must not be zero.
+    // The value of Len is size of data buffer. Actually, Data is make up of strings.
+    // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0
+    // (1) Len == 0, *Data != '=' goto ON_ERROR
+    // (2) *Data == '=', Len != 0 normal case.
+    // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error.
+    if ((Len > 0) && (*Data == '=')) {
       *Data = '\0';
-
       Data++;
       Len--;
     } else {
@@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList (
 
     KeyValuePair->Value = Data;
 
-    InsertTailList (ListHead, &KeyValuePair->List);
+    Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__));
+      FreePool (KeyValuePair);
+      goto ON_ERROR;
+    }
 
-    Data += AsciiStrLen (KeyValuePair->Value) + 1;
-    Len  -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1;
+    Status = SafeUint32Sub (Len, Result, &Len);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__));
+      FreePool (KeyValuePair);
+      goto ON_ERROR;
+    }
+
+    InsertTailList (ListHead, &KeyValuePair->List);
+    Data += Result;
   }
 
   return ListHead;
-- 
2.49.0