dsp: bios: Bounds check encode_set_bios_attribute_current_value_req()
```
../src/dsp/bios.c: In function ‘encode_set_bios_attribute_current_value_req’:
../src/dsp/bios.c:496:9: error: use of attacker-controlled value ‘attribute_length’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
496 | memcpy(request->attribute_data, attribute_data, attribute_length);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
gitlint-ignore: T1, B1
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: I65fb55204298e5ba16c037fe289a7d94a04e8599
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 425d877..010728d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -137,6 +137,7 @@
13. dsp: fru: Bounds check encode_get_fru_record_by_option_resp()
14. dsp: fru: Bounds check encode_fru_record()
15. dsp: bios: Bounds check encode_set_bios_table_req()
+16. dsp: bios: Bounds check encode_set_bios_attribute_current_value_req()
## [0.9.1] - 2024-09-07
diff --git a/src/dsp/bios.c b/src/dsp/bios.c
index a59e314..5ef5e99 100644
--- a/src/dsp/bios.c
+++ b/src/dsp/bios.c
@@ -474,10 +474,16 @@
if (msg == NULL || attribute_data == NULL) {
return PLDM_ERROR_INVALID_DATA;
}
- if (PLDM_SET_BIOS_ATTR_CURR_VAL_MIN_REQ_BYTES + attribute_length !=
- payload_length) {
+
+ if (payload_length < PLDM_SET_BIOS_ATTR_CURR_VAL_MIN_REQ_BYTES) {
return PLDM_ERROR_INVALID_LENGTH;
}
+
+ if (payload_length - PLDM_SET_BIOS_ATTR_CURR_VAL_MIN_REQ_BYTES <
+ attribute_length) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
struct pldm_header_info header = { 0 };
header.instance = instance_id;
header.msg_type = PLDM_REQUEST;