dsp: bios_table: Bounds check pldm_bios_table_string_entry_encode()
```
../src/dsp/bios_table.c:82:9: error: use of attacker-controlled value ‘str_length’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
82 | memcpy(string_entry->name, str, str_length);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: I1aaa18b358c3e6c958b2d9643487016f2a9f5116
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 010728d..8aa1977 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -138,6 +138,7 @@
14. dsp: fru: Bounds check encode_fru_record()
15. dsp: bios: Bounds check encode_set_bios_table_req()
16. dsp: bios: Bounds check encode_set_bios_attribute_current_value_req()
+17. dsp: bios_table: Bounds check pldm_bios_table_string_entry_encode()
## [0.9.1] - 2024-09-07
diff --git a/src/dsp/bios_table.c b/src/dsp/bios_table.c
index a4280fe..7e91b87 100644
--- a/src/dsp/bios_table.c
+++ b/src/dsp/bios_table.c
@@ -71,6 +71,11 @@
POINTER_CHECK(str);
size_t length = pldm_bios_table_string_entry_encode_length(str_length);
BUFFER_SIZE_EXPECT(entry_length, length);
+ if (entry_length - (sizeof(struct pldm_bios_string_table_entry) -
+ MEMBER_SIZE(pldm_bios_string_table_entry, name)) <
+ str_length) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
struct pldm_bios_string_table_entry *string_entry = entry;
uint16_t handle;
int rc = get_bios_string_handle(&handle);