oem: ibm: platform: Bounds check encode_bios_attribute_update_event_req()
```
../src/oem/ibm/platform.c: In function ‘encode_bios_attribute_update_event_req’:
../src/oem/ibm/platform.c:49:9: error: use of attacker-controlled value ‘(long unsigned int)num_handles * 2’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
49 | memcpy(request->bios_attribute_handles, list_of_handles,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
50 | num_handles * sizeof(uint16_t));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
gitlint-ignore: T1, B1
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: Ie329d651207936b4a4762efa7631c9ecb525cf74
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f1e7ed2..a6faa9c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -133,6 +133,7 @@
10. dsp: bios_table: Bounds check pldm_bios_table_attr_value_entry_encode_enum()
11. dsp: firmware_update: Bounds check
decode_downstream_device_parameter_table_entry_versions()
+12. oem: ibm: platform: Bounds check encode_bios_attribute_update_event_req()
## [0.9.1] - 2024-09-07
diff --git a/src/oem/ibm/platform.c b/src/oem/ibm/platform.c
index 2c3741d..b02bf4d 100644
--- a/src/oem/ibm/platform.c
+++ b/src/oem/ibm/platform.c
@@ -1,4 +1,5 @@
/* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */
+#include <libpldm/base.h>
#include <libpldm/platform.h>
#include <libpldm/oem/ibm/platform.h>
@@ -24,9 +25,18 @@
return PLDM_ERROR_INVALID_DATA;
}
- if (payload_length !=
- (PLDM_PLATFORM_EVENT_MESSAGE_MIN_REQ_BYTES + sizeof(num_handles) +
- (num_handles * sizeof(uint16_t)))) {
+ if (SIZE_MAX / num_handles < sizeof(uint16_t)) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (payload_length <
+ PLDM_PLATFORM_EVENT_MESSAGE_MIN_REQ_BYTES + sizeof(num_handles)) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (payload_length - (PLDM_PLATFORM_EVENT_MESSAGE_MIN_REQ_BYTES +
+ sizeof(num_handles)) <
+ num_handles * sizeof(uint16_t)) {
return PLDM_ERROR_INVALID_LENGTH;
}