Fix buffer overrun due DEFAULT_LOADER length miscalculation

The DEFAULT_LOADER is a UCS-2 string and the StrLen() function returns the number of UCS-2 encoded characters in the string. But the allocated memory is in bytes, so only half of the needed memory to store it is allocated. This leads to a buffer overrun when the StrCpy() function attempts to copy the DEFAULT_LOADER to the allocated buffer. Fixes: 354bd9b1931 ("Actually check for errors from set_second_stage()") Reported-by: Stuart Hayes <stuart_hayes@dell.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
author: Javier Martinez Canillas <javierm@redhat.com> 2020-09-08 12:26:45 +0200
committer: Peter Jones <pjones@redhat.com> 2020-09-09 15:56:39 -0400
commit: 74b05de7d19fa4f462b6e228a8a03f8ee242b673 (patch)
tree: 8b7d51fa9ec753ddbfb31902173c2a830a3f3a85
parent: 63f7943dbe0583dd0bf89ee8fe8230d4b7373b91 (diff)
download: efi-boot-shim-74b05de7d19fa4f462b6e228a8a03f8ee242b673.tar.gz
efi-boot-shim-74b05de7d19fa4f462b6e228a8a03f8ee242b673.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/shim.c b/shim.c
index 1a4d7bb9..25472cb8 100644
--- a/shim.c
+++ b/shim.c
@@ -2320,7 +2320,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
 	unsigned int i;
 	UINTN second_stage_len;
 
-	second_stage_len = StrLen(DEFAULT_LOADER) + 1;
+	second_stage_len = (StrLen(DEFAULT_LOADER) + 1) * sizeof(CHAR16);
 	second_stage = AllocatePool(second_stage_len);
 	if (!second_stage) {
 		perror(L"Could not allocate %lu bytes\n", second_stage_len);
author	Javier Martinez Canillas <javierm@redhat.com>	2020-09-08 12:26:45 +0200
committer	Peter Jones <pjones@redhat.com>	2020-09-09 15:56:39 -0400
commit	74b05de7d19fa4f462b6e228a8a03f8ee242b673 (patch)
tree	8b7d51fa9ec753ddbfb31902173c2a830a3f3a85
parent	63f7943dbe0583dd0bf89ee8fe8230d4b7373b91 (diff)
download	efi-boot-shim-74b05de7d19fa4f462b6e228a8a03f8ee242b673.tar.gz efi-boot-shim-74b05de7d19fa4f462b6e228a8a03f8ee242b673.zip