Skip to content

Commit 331a669

Browse files
wickstewickste
authored
Merge pull request #161 from xiaocq2001/chxiao/msrc_84686_add_length_check_in_h_pima_stor_inf_g
Fixed unicode string copy issue in host pima storage info get.
2 parents 203d166 + 5cae507 commit 331a669

File tree

2 files changed

+3845
-5
lines changed

2 files changed

+3845
-5
lines changed

common/usbx_host_classes/src/ux_host_class_pima_storage_info_get.c

+34-5
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
/* FUNCTION RELEASE */
3535
/* */
3636
/* _ux_host_class_pima_storage_info_get PORTABLE C */
37-
/* 6.3.0 */
37+
/* 6.x */
3838
/* AUTHOR */
3939
/* */
4040
/* Chaoqiong Xiao, Microsoft Corporation */
@@ -77,6 +77,9 @@
7777
/* resulting in version 6.1 */
7878
/* 10-31-2023 Yajun xia Modified comment(s), */
7979
/* resulting in version 6.3.0 */
80+
/* xx-xx-xxxx Chaoqiong Xiao Modified comment(s), */
81+
/* fixed unicode string copy, */
82+
/* resulting in version 6.x */
8083
/* */
8184
/**************************************************************************/
8285
UINT _ux_host_class_pima_storage_info_get(UX_HOST_CLASS_PIMA *pima,
@@ -88,7 +91,7 @@ UX_HOST_CLASS_PIMA_COMMAND command;
8891
UINT status;
8992
UCHAR *storage_buffer;
9093
UCHAR *storage_pointer;
91-
ULONG unicode_string_length;
94+
ULONG unicode_string_length, unicode_string_bytes;
9295

9396
/* If trace is enabled, insert this event into the trace buffer. */
9497
UX_TRACE_IN_LINE_INSERT(UX_TRACE_HOST_CLASS_PIMA_STORAGE_INFO_GET, pima, storage_id, storage, 0, UX_TRACE_HOST_CLASS_EVENTS, 0, 0)
@@ -140,17 +143,43 @@ ULONG unicode_string_length;
140143
/* Get the unicode string length. */
141144
unicode_string_length = (ULONG) *storage_pointer ;
142145

146+
/* unicode_string_length is a byte so
147+
unicode_string_length * 2 + 1 will not overflow. */
148+
unicode_string_bytes = (unicode_string_length << 1) + 1;
149+
150+
/* Check target buffer length. */
151+
if (unicode_string_bytes > UX_HOST_CLASS_PIMA_UNICODE_MAX_LENGTH)
152+
{
153+
_ux_utility_memory_free(storage_buffer);
154+
return(UX_BUFFER_OVERFLOW);
155+
}
156+
143157
/* Copy that string into the storage description field. */
144-
_ux_utility_memory_copy(storage -> ux_host_class_pima_storage_description, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */
158+
_ux_utility_memory_copy(storage -> ux_host_class_pima_storage_description,
159+
storage_pointer,
160+
unicode_string_bytes); /* Use case of memcpy is verified. */
145161

146162
/* Point to the volume label. */
147-
storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET + unicode_string_length;
163+
storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET + unicode_string_bytes;
148164

149165
/* Get the unicode string length. */
150166
unicode_string_length = (ULONG) *storage_pointer ;
151167

168+
/* unicode_string_length is a byte so
169+
unicode_string_length * 2 + 1 will not overflow. */
170+
unicode_string_bytes = (unicode_string_length << 1) + 1;
171+
172+
/* Check target buffer length. */
173+
if (unicode_string_bytes > UX_HOST_CLASS_PIMA_UNICODE_MAX_LENGTH)
174+
{
175+
_ux_utility_memory_free(storage_buffer);
176+
return(UX_BUFFER_OVERFLOW);
177+
}
178+
152179
/* Copy that string into the storage volume label field. */
153-
_ux_utility_memory_copy(storage -> ux_host_class_pima_storage_volume_label, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */
180+
_ux_utility_memory_copy(storage -> ux_host_class_pima_storage_volume_label,
181+
storage_pointer,
182+
unicode_string_bytes); /* Use case of memcpy is verified. */
154183

155184
}
156185

0 commit comments

Comments
 (0)