dsp: fru: Bounds check encode_get_fru_record_by_option_resp()
```
../src/dsp/fru.c: In function ‘encode_get_fru_record_by_option_resp’:
../src/dsp/fru.c:388:17: error: use of attacker-controlled value ‘data_size’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
388 | memcpy(resp->fru_structure_data, fru_structure_data, data_size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: I01b43823e3a24c7e7ed229d09643b15fcff4d43b
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a6faa9c..14aef6e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -134,6 +134,7 @@
11. dsp: firmware_update: Bounds check
decode_downstream_device_parameter_table_entry_versions()
12. oem: ibm: platform: Bounds check encode_bios_attribute_update_event_req()
+13. dsp: fru: Bounds check encode_get_fru_record_by_option_resp()
## [0.9.1] - 2024-09-07
diff --git a/src/dsp/fru.c b/src/dsp/fru.c
index b7fa2b6..7d1906c 100644
--- a/src/dsp/fru.c
+++ b/src/dsp/fru.c
@@ -362,8 +362,12 @@
return PLDM_ERROR_INVALID_DATA;
}
- if (payload_length !=
- PLDM_GET_FRU_RECORD_BY_OPTION_MIN_RESP_BYTES + data_size) {
+ if (payload_length < PLDM_GET_FRU_RECORD_BY_OPTION_MIN_RESP_BYTES) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (payload_length - PLDM_GET_FRU_RECORD_BY_OPTION_MIN_RESP_BYTES <
+ data_size) {
return PLDM_ERROR_INVALID_LENGTH;
}