On Sun, Dec 18, 2022 at 06:08:57AM +0000, Heinrich Schuchardt wrote:
> The VariableNameSize parameter is in bytes but u16_strnlen() counts u16.
>
> Fix the parameter check for null termination.
>
> Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
> ---
> include/efi_variable.h | 3 ++-
> lib/efi_loader/efi_var_mem.c | 6 +++---
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/include/efi_variable.h b/include/efi_variable.h
> index 03a3ecb235..805e6c5f1e 100644
> --- a/include/efi_variable.h
> +++ b/include/efi_variable.h
> @@ -268,7 +268,8 @@ const efi_guid_t *efi_auth_var_get_guid(const u16 *name);
> * efi_get_next_variable_name_mem() - Runtime common code across efi variable
> * implementations for GetNextVariable()
> * from the cached memory copy
> - * @variable_name_size: size of variable_name buffer in byte
> + *
> + * @variable_name_size: size of variable_name buffer in bytes
> * @variable_name: name of uefi variable's name in u16
> * @vendor: vendor's guid
> *
> diff --git a/lib/efi_loader/efi_var_mem.c b/lib/efi_loader/efi_var_mem.c
> index 13909b1d26..0bac594e00 100644
> --- a/lib/efi_loader/efi_var_mem.c
> +++ b/lib/efi_loader/efi_var_mem.c
> @@ -315,14 +315,14 @@ efi_get_next_variable_name_mem(efi_uintn_t
> *variable_name_size,
> u16 *variable_name, efi_guid_t *vendor)
> {
> struct efi_var_entry *var;
> - efi_uintn_t old_size;
> + efi_uintn_t len, old_size;
> u16 *pdata;
>
> if (!variable_name_size || !variable_name || !vendor)
> return EFI_INVALID_PARAMETER;
>
> - if (u16_strnlen(variable_name, *variable_name_size) ==
> - *variable_name_size)
> + len = *variable_name_size >> 1;
> + if (u16_strnlen(variable_name, len) == len)
> return EFI_INVALID_PARAMETER;
>
> if (!efi_var_mem_find(vendor, variable_name, &var) && *variable_name)
> --
> 2.37.2
>
Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
