Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / libpldm / 225530ab4827d0b10ecb51d027a51a3eb909960e^! / .
commit225530ab4827d0b10ecb51d027a51a3eb909960e[log] [tgz]
authorAndrew Jeffery <andrew@codeconstruct.com.au>Wed Sep 25 13:11:43 2024 +0930
committerAndrew Jeffery <andrew@codeconstruct.com.au>Tue Oct 08 17:17:40 2024 +1030
tree1ef93ca86769219dec0418824d5dc70f5beae56b
parent329176a88cd44ed2d80e03fb9ef3bfa1386901b5 [diff]
dsp: platform: Prevent overflow of arithmetic on event_data_length

Resolves the following warning from GCC's static analyzer:

```
../src/dsp/platform.c: In function ‘encode_platform_event_message_req’:
../src/dsp/platform.c:1246:9: error: use of attacker-controlled value ‘event_data_length’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
 1246 |         memcpy(request->event_data, event_data, event_data_length);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: Id889a5b56d8403dea41f6acd43f21b44bf8d503d
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13ed75c..573b7eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md

@@ -112,6 +112,8 @@
    `tranferFlag` is `AcknowledgementOnly`, the value `eventIDToAcknowledge`
    should be the previously retrieved eventID (from the PLDM terminus).
 
+4. dsp: platform: Prevent overflow of arithmetic on event_data_length
+
 ## [0.9.1] - 2024-09-07
 
 ### Changed

diff --git a/src/dsp/platform.c b/src/dsp/platform.c
index 7cf5853..850ed71 100644
--- a/src/dsp/platform.c
+++ b/src/dsp/platform.c

@@ -1296,6 +1296,11 @@
 		return PLDM_ERROR_INVALID_DATA;
 	}
 
+	if ((SIZE_MAX - PLDM_PLATFORM_EVENT_MESSAGE_MIN_REQ_BYTES) <
+	    event_data_length) {
+		return PLDM_ERROR_INVALID_LENGTH;
+	}
+
 	if (payload_length !=
 	    PLDM_PLATFORM_EVENT_MESSAGE_MIN_REQ_BYTES + event_data_length) {
 		return PLDM_ERROR_INVALID_LENGTH;