From 7501b6bb449f6e4d13e700a65650f9308f54c8c1 Mon Sep 17 00:00:00 2001
From: Jonathan Yong <jonathan.yong@intel.com>
Date: Fri, 16 Apr 2021 09:59:03 +0800
Subject: [PATCH 24/35] mok: fix potential buffer overrun in import_mok_state

Fix the case where data_size is 0, so config_template is
not implicitly copied like the size calculation above.

upstream-status: https://github.com/rhboot/shim/issues/249

Signed-off-by: Jonathan Yong <jonathan.yong@intel.com>
---
 mok.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/mok.c b/mok.c
index beac0ff6..db18093d 100644
--- a/mok.c
+++ b/mok.c
@@ -1034,10 +1034,12 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
 
 		config_template.data_size = v->data_size;
 
-		CopyMem(p, &config_template, sizeof(config_template));
-		p += sizeof(config_template);
-		CopyMem(p, v->data, v->data_size);
-		p += v->data_size;
+		if (v->data && v->data_size) {
+			CopyMem(p, &config_template, sizeof(config_template));
+			p += sizeof(config_template);
+			CopyMem(p, v->data, v->data_size);
+			p += v->data_size;
+		}
 	}
 	if (p) {
 		ZeroMem(&config_template, sizeof(config_template));
-- 
2.32.0