verify_buffer: check that the value of cert->Hdr.dwLength is reasonable

Signed-off-by: Peter Jones <pjones@redhat.com>
author: Peter Jones <pjones@redhat.com> 2016-09-06 15:20:18 -0400
committer: Peter Jones <pjones@redhat.com> 2016-09-09 11:16:17 -0400
commit: 2de084689fd013ade4d3cc3d8efa7a8c55104241 (patch)
tree: 41100209289316f67e6e4acd6044e95d89d80ea1 /shim.c
parent: b8e27b3cfe2dda8401a6b0865084a2a2ce8ebe66 (diff)
download: efi-boot-shim-2de084689fd013ade4d3cc3d8efa7a8c55104241.tar.gz
efi-boot-shim-2de084689fd013ade4d3cc3d8efa7a8c55104241.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/shim.c b/shim.c
index 1978ff61..f743e8e2 100644
--- a/shim.c
+++ b/shim.c
@@ -915,6 +915,11 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	unsigned int size = datasize;
 
 	if (context->SecDir->Size != 0) {
+		if (context->SecDir->Size >= size) {
+			perror(L"Certificate Database size is too large\n");
+			return EFI_INVALID_PARAMETER;
+		}
+
 		cert = ImageAddress (data, size,
 				     context->SecDir->VirtualAddress);
 
@@ -923,6 +928,11 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 			return EFI_INVALID_PARAMETER;
 		}
 
+		if (cert->Hdr.dwLength > context->SecDir->Size) {
+			perror(L"Certificate list size is inconsistent with PE headers");
+			return EFI_INVALID_PARAMETER;
+		}
+
 		if (cert->Hdr.wCertificateType !=
 		    WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
 			perror(L"Unsupported certificate type %x\n",
author	Peter Jones <pjones@redhat.com>	2016-09-06 15:20:18 -0400
committer	Peter Jones <pjones@redhat.com>	2016-09-09 11:16:17 -0400
commit	2de084689fd013ade4d3cc3d8efa7a8c55104241 (patch)
tree	41100209289316f67e6e4acd6044e95d89d80ea1 /shim.c
parent	b8e27b3cfe2dda8401a6b0865084a2a2ce8ebe66 (diff)
download	efi-boot-shim-2de084689fd013ade4d3cc3d8efa7a8c55104241.tar.gz efi-boot-shim-2de084689fd013ade4d3cc3d8efa7a8c55104241.zip