commit 37016fef751d5a1152ff2b12bfd39499761a615e
author Andrew Jeffery <andrew@codeconstruct.com.au> Thu Oct 03 15:27:01 2024 +0930
committer Andrew Jeffery <andrew@codeconstruct.com.au> Tue Oct 08 17:56:54 2024 +1030
tree 54b65fca46b93eccffca390e1e1815122012f34a
parent d7d08f65eab7ac6b41c19428963145b0c5df340f

dsp: bios: Bounds check encode_set_bios_table_req()

```
../src/dsp/bios.c:614:9: error: use of attacker-controlled value ‘table_length’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
  614 |         memcpy(request->table_data, table_data, table_length);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: I2a9679f9ab9f743a2521ff2d20e42b8d07c706df
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c77048..425d877 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -136,6 +136,7 @@
 12. oem: ibm: platform: Bounds check encode_bios_attribute_update_event_req()
 13. dsp: fru: Bounds check encode_get_fru_record_by_option_resp()
 14. dsp: fru: Bounds check encode_fru_record()
+15. dsp: bios: Bounds check encode_set_bios_table_req()
 
 ## [0.9.1] - 2024-09-07
 

src/dsp/bios.c

diff --git a/src/dsp/bios.c b/src/dsp/bios.c
index 00abf7f..a59e314 100644
--- a/src/dsp/bios.c
+++ b/src/dsp/bios.c
@@ -590,8 +590,15 @@
 		return PLDM_ERROR_INVALID_DATA;
 	}
 
-	if (PLDM_SET_BIOS_TABLE_MIN_REQ_BYTES + table_length !=
-	    payload_length) {
+	if (payload_length < PLDM_SET_BIOS_TABLE_MIN_REQ_BYTES) {
+		return PLDM_ERROR_INVALID_LENGTH;
+	}
+
+	if (payload_length - PLDM_SET_BIOS_TABLE_MIN_REQ_BYTES < table_length) {
+		return PLDM_ERROR_INVALID_LENGTH;
+	}
+
+	if (payload_length - PLDM_SET_BIOS_TABLE_MIN_REQ_BYTES > table_length) {
 		return PLDM_ERROR_INVALID_LENGTH;
 	}