commit 0a1be3cb905e5dea298033d91457f86361b0b418
author Andrew Jeffery <andrew@codeconstruct.com.au> Sun Aug 11 08:34:10 2024 +0000
committer Andrew Jeffery <andrew@codeconstruct.com.au> Wed Sep 04 07:54:14 2024 +0200
tree eaf5077ecf3f6a5d95ca8671488459e411b3a7f4
parent cb569bc558887b9500432c8a7b987b185e5cf6fc

msgbuf: Harden pldm_msgbuf_{insert,extract}_array()

Review of some proposed APIs suggested that correct use of the
pldm_msgbuf_{insert,extract}_array() helpers was more difficult that it
should be. In the three-parameter form, it was too tempting to provide
the length to extract as parsed out of a PLDM message. The intended
use was that the length parameter represented the length of the
user-provided data buffer.

Instead, move to a four-parameter form, provide reasonable documentation
for how these APIs should be used, fix all the call-sites, and deprecate
some existing unsafe APIs.

Change-Id: If58e5574600e80b354f383554283c4eda5d7234c
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

src/dsp/firmware_update.c

diff --git a/src/dsp/firmware_update.c b/src/dsp/firmware_update.c
index 80310b2..61bb953 100644
--- a/src/dsp/firmware_update.c
+++ b/src/dsp/firmware_update.c
@@ -1152,8 +1152,14 @@
 	if (rc < 0) {
 		return rc;
 	}
-	pldm_msgbuf_extract_array(buf, entry->active_comp_release_date,
-				  PLDM_FWUP_COMPONENT_RELEASE_DATA_LEN);
+	rc = pldm_msgbuf_extract_array(buf,
+				       PLDM_FWUP_COMPONENT_RELEASE_DATA_LEN,
+				       entry->active_comp_release_date,
+				       sizeof(entry->active_comp_release_date));
+	if (rc < 0) {
+		return rc;
+	}
+
 	// Fill the last byte with NULL character
 	entry->active_comp_release_date[PLDM_FWUP_COMPONENT_RELEASE_DATA_LEN] =
 		'\0';
@@ -1164,8 +1170,15 @@
 	if (rc < 0) {
 		return rc;
 	}
-	pldm_msgbuf_extract_array(buf, entry->pending_comp_release_date,
-				  PLDM_FWUP_COMPONENT_RELEASE_DATA_LEN);
+
+	rc = pldm_msgbuf_extract_array(
+		buf, PLDM_FWUP_COMPONENT_RELEASE_DATA_LEN,
+		entry->pending_comp_release_date,
+		sizeof(entry->pending_comp_release_date));
+	if (rc < 0) {
+		return rc;
+	}
+
 	// Fill the last byte with NULL character
 	entry->pending_comp_release_date[PLDM_FWUP_COMPONENT_RELEASE_DATA_LEN] =
 		'\0';
@@ -1218,10 +1231,20 @@
 		return rc;
 	}
 
-	pldm_msgbuf_extract_array(buf, active, entry->active_comp_ver_str_len);
+	rc = pldm_msgbuf_extract_array(buf, entry->active_comp_ver_str_len,
+				       active, entry->active_comp_ver_str_len);
+	if (rc < 0) {
+		return rc;
+	}
+
 	active[entry->active_comp_ver_str_len] = '\0';
-	pldm_msgbuf_extract_array(buf, pending,
-				  entry->pending_comp_ver_str_len);
+	rc = pldm_msgbuf_extract_array(buf, entry->pending_comp_ver_str_len,
+				       pending,
+				       entry->pending_comp_ver_str_len);
+	if (rc < 0) {
+		return rc;
+	}
+
 	pending[entry->pending_comp_ver_str_len] = '\0';
 
 	entry->active_comp_ver_str = active;