ShellPkg: acpiview: SRAT: Prevent buffer overruns

Modify the SRAT parsing logic to prevent reading past the table buffer
length provided.

Check if the Static Resource Allocation Structure's buffer fits in the
SRAT table buffer before its contents are dumped.

Prevent buffer overruns when reading the Static Resource Allocation
Structure's header.

References:
- ACPI 6.3, January 2019, Section 5.2.16

Signed-off-by: Krzysztof Koch <krzysztof.koch@arm.com>
Reviewed-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Reviewed-by: Zhichao Gao <zhichao.gao@inte.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
index 59c77401ea..a8aa420487 100644
--- a/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
+++ b/ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Srat/SratParser.c
@@ -215,10 +215,22 @@ ParseAcpiSrat (
       0,

       NULL,

       ResourcePtr,

-      2,  // The length is 1 byte at offset 1

+      AcpiTableLength - Offset,

       PARSER_PARAMS (SratResourceAllocationParser)

       );

 

+    // Make sure the SRAT structure lies inside the table

+    if ((Offset + *SratRALength) > AcpiTableLength) {

+      IncrementErrorCount ();

+      Print (

+        L"ERROR: Invalid SRAT structure length. SratRALength = %d. " \

+          L"RemainingTableBufferLength = %d. SRAT parsing aborted.\n",

+        *SratRALength,

+        AcpiTableLength - Offset

+        );

+      return;

+    }

+

     switch (*SratRAType) {

       case EFI_ACPI_6_2_GICC_AFFINITY:

         AsciiSPrint (