Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / libpldm / 92967bedd0a469ac2b84faf0ce4b3560aaa17d5a^! / . / src / dsp / bios_table.c
commit92967bedd0a469ac2b84faf0ce4b3560aaa17d5a[log] [tgz]
authorAndrew Jeffery <andrew@codeconstruct.com.au>Wed Oct 02 22:13:57 2024 +0930
committerAndrew Jeffery <andrew@codeconstruct.com.au>Tue Oct 08 17:19:56 2024 +1030
tree832104ef0bc9001e9006cc3be4ea4e39b6f4c324
parentd96d21f4ac9cd1b8ffcf967df2e2988888541f6c [diff] [blame]
dsp: bios_table: Bounds check pldm_bios_table_attr_value_entry_encode_enum()

```
../src/dsp/bios_table.c: In function ‘pldm_bios_table_attr_value_entry_encode_enum’:
../src/dsp/bios_table.c:711:17: error: use of attacker-controlled value ‘count’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
  711 |                 memcpy(&table_entry->value[1], handles, count);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

gitlint-ignore: T1, B1
Change-Id: Ie8073f6d19ad3c249160c675f36d73dc83afb198
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

diff --git a/src/dsp/bios_table.c b/src/dsp/bios_table.c
index 7752c08..a4280fe 100644
--- a/src/dsp/bios_table.c
+++ b/src/dsp/bios_table.c

@@ -694,22 +694,23 @@
 	void *entry, size_t entry_length, uint16_t attr_handle,
 	uint8_t attr_type, uint8_t count, const uint8_t *handles)
 {
+	struct pldm_bios_attr_val_table_entry *table_entry;
+
 	POINTER_CHECK(entry);
 	POINTER_CHECK(handles);
 	if (count != 0 && handles == NULL) {
 		return PLDM_ERROR_INVALID_DATA;
 	}
 	ATTR_TYPE_EXPECT(attr_type, PLDM_BIOS_ENUMERATION);
-	size_t length =
-		pldm_bios_table_attr_value_entry_encode_enum_length(count);
-	BUFFER_SIZE_EXPECT(entry_length, length);
-	struct pldm_bios_attr_val_table_entry *table_entry = entry;
+	BUFFER_SIZE_EXPECT(entry_length, sizeof(*table_entry));
+	table_entry = entry;
 	table_entry->attr_handle = htole16(attr_handle);
 	table_entry->attr_type = attr_type;
 	table_entry->value[0] = count;
-	if (count != 0) {
-		memcpy(&table_entry->value[1], handles, count);
+	if (entry_length - sizeof(*table_entry) < count) {
+		return PLDM_ERROR_INVALID_LENGTH;
 	}
+	memcpy(&table_entry->value[1], handles, count);
 	return PLDM_SUCCESS;
 }