From b3a2f7ff24e156e8c4d694fffff01e95a048c536 Mon Sep 17 00:00:00 2001 From: Santhosh Kumar V Date: Wed, 7 May 2025 18:53:30 +0530 Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for out of bound memory access for bz4207 (CVE-2024-38805) In IScsiBuildKeyValueList, check if we have any data left (Len > 0) before advancing the Data pointer and reducing Len. Avoids wrapping Len. Also Used SafeUint32SubSafeUint32Sub call to reduce the Len . Signed-off-by: santhosh kumar V --- NetworkPkg/IScsiDxe/IScsiProto.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c index fb48e6304d..13394dbfc6 100644 --- a/NetworkPkg/IScsiDxe/IScsiProto.c +++ b/NetworkPkg/IScsiDxe/IScsiProto.c @@ -1880,6 +1880,8 @@ IScsiBuildKeyValueList ( { LIST_ENTRY *ListHead; ISCSI_KEY_VALUE_PAIR *KeyValuePair; + EFI_STATUS Status; + UINT32 Result; ListHead = AllocatePool (sizeof (LIST_ENTRY)); if (ListHead == NULL) { @@ -1903,9 +1905,14 @@ IScsiBuildKeyValueList ( Data++; } - if (*Data == '=') { + // Here Len must not be zero. + // The value of Len is size of data buffer. Actually, Data is make up of strings. + // AuthMethod=None\0TargetAlias=LIO Target\0 TargetPortalGroupTag=1\0 + // (1) Len == 0, *Data != '=' goto ON_ERROR + // (2) *Data == '=', Len != 0 normal case. + // (3) *Data == '=', Len == 0, Between Data and Len are mismatch, Len isn't all size of data, as error. + if ((Len > 0) && (*Data == '=')) { *Data = '\0'; - Data++; Len--; } else { @@ -1915,10 +1922,22 @@ IScsiBuildKeyValueList ( KeyValuePair->Value = Data; - InsertTailList (ListHead, &KeyValuePair->List); + Status = SafeUint32Add ((UINT32)AsciiStrLen (KeyValuePair->Value), 1, &Result); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a Memory Overflow is Detected.\n", __func__)); + FreePool (KeyValuePair); + goto ON_ERROR; + } - Data += AsciiStrLen (KeyValuePair->Value) + 1; - Len -= (UINT32)AsciiStrLen (KeyValuePair->Value) + 1; + Status = SafeUint32Sub (Len, Result, &Len); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a Out of bound memory access Detected.\n", __func__)); + FreePool (KeyValuePair); + goto ON_ERROR; + } + + InsertTailList (ListHead, &KeyValuePair->List); + Data += Result; } return ListHead;