msgbuf: Harden pldm_msgbuf_{insert,extract}_array()
Review of some proposed APIs suggested that correct use of the
pldm_msgbuf_{insert,extract}_array() helpers was more difficult that it
should be. In the three-parameter form, it was too tempting to provide
the length to extract as parsed out of a PLDM message. The intended
use was that the length parameter represented the length of the
user-provided data buffer.
Instead, move to a four-parameter form, provide reasonable documentation
for how these APIs should be used, fix all the call-sites, and deprecate
some existing unsafe APIs.
Change-Id: If58e5574600e80b354f383554283c4eda5d7234c
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/src/oem/meta/file_io.c b/src/oem/meta/file_io.c
index 073c446..9df6263 100644
--- a/src/oem/meta/file_io.c
+++ b/src/oem/meta/file_io.c
@@ -13,22 +13,29 @@
{
struct pldm_msgbuf _buf;
struct pldm_msgbuf *buf = &_buf;
+ int rc;
if (msg == NULL || file_handle == NULL || length == NULL ||
data == NULL) {
return PLDM_ERROR_INVALID_DATA;
}
- int rc = pldm_msgbuf_init_cc(
- buf, PLDM_OEM_META_DECODE_WRITE_FILE_IO_MIN_SIZE, msg->payload,
- payload_length);
+ rc = pldm_msgbuf_init_cc(buf,
+ PLDM_OEM_META_DECODE_WRITE_FILE_IO_MIN_SIZE,
+ msg->payload, payload_length);
if (rc) {
return rc;
}
pldm_msgbuf_extract_p(buf, file_handle);
pldm_msgbuf_extract_p(buf, length);
- pldm_msgbuf_extract_array_uint8(buf, data, *length);
+
+ /* NOTE: Memory safety failure */
+ rc = pldm_msgbuf_extract_array_uint8(buf, (size_t)(*length), data,
+ UINT32_MAX);
+ if (rc) {
+ return rc;
+ }
return pldm_msgbuf_destroy_consumed(buf);
}