dsp: firmware_update: Bounds check decode_downstream_device_parameter_table_entry_versions()
```
../src/dsp/firmware_update.c: In function ‘decode_downstream_device_parameter_table_entry_versions’:
../src/dsp/firmware_update.c:1248:48: error: use of attacker-controlled value ‘*entry.active_comp_ver_str_len’ as offset without upper-bounds checking [CWE-823] [-Werror=analyzer-tainted-offset]
1248 | active[entry->active_comp_ver_str_len] = '\0';
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~
```
gitlint-ignore: T1, B1, UC1
Fixes: b6ef35b48065 ("fw_update: Add encode req & decode resp for get_downstream_fw_params")
Change-Id: I15571804f391dc97de6d80c90325ded006aee500
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/src/dsp/firmware_update.c b/src/dsp/firmware_update.c
index c492a05..2afcaab 100644
--- a/src/dsp/firmware_update.c
+++ b/src/dsp/firmware_update.c
@@ -1225,7 +1225,7 @@
int decode_downstream_device_parameter_table_entry_versions(
const struct variable_field *versions,
struct pldm_downstream_device_parameter_entry *entry, char *active,
- char *pending)
+ size_t active_len, char *pending, size_t pending_len)
{
struct pldm_msgbuf _buf;
struct pldm_msgbuf *buf = &_buf;
@@ -1236,6 +1236,14 @@
return -EINVAL;
}
+ if (!active_len || active_len - 1 < entry->active_comp_ver_str_len) {
+ return -EOVERFLOW;
+ }
+
+ if (!pending_len || pending_len - 1 < entry->pending_comp_ver_str_len) {
+ return -EOVERFLOW;
+ }
+
/* This API should be called after decode_downstream_device_parameter_table_entry
* has successfully decoded the entry, assume the entry data is valid here.
*/
@@ -1248,15 +1256,14 @@
}
rc = pldm_msgbuf_extract_array(buf, entry->active_comp_ver_str_len,
- active, entry->active_comp_ver_str_len);
+ active, active_len);
if (rc < 0) {
return rc;
}
active[entry->active_comp_ver_str_len] = '\0';
rc = pldm_msgbuf_extract_array(buf, entry->pending_comp_ver_str_len,
- pending,
- entry->pending_comp_ver_str_len);
+ pending, pending_len);
if (rc < 0) {
return rc;
}