commit a98924997d58f2bc2150aa8d4ef649213960ce13
author Andrew Jeffery <andrew@codeconstruct.com.au> Thu Oct 03 14:07:17 2024 +0930
committer Andrew Jeffery <andrew@codeconstruct.com.au> Tue Oct 08 17:28:41 2024 +1030
tree 700638c8707550255ea27c9614a9c15eac2e4cc0
parent 92967bedd0a469ac2b84faf0ce4b3560aaa17d5a

dsp: firmware_update: Bounds check decode_downstream_device_parameter_table_entry_versions()

```
../src/dsp/firmware_update.c: In function ‘decode_downstream_device_parameter_table_entry_versions’:
../src/dsp/firmware_update.c:1248:48: error: use of attacker-controlled value ‘*entry.active_comp_ver_str_len’ as offset without upper-bounds checking [CWE-823] [-Werror=analyzer-tainted-offset]
 1248 |         active[entry->active_comp_ver_str_len] = '\0';
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~
```

gitlint-ignore: T1, B1, UC1
Fixes: b6ef35b48065 ("fw_update: Add encode req & decode resp for get_downstream_fw_params")
Change-Id: I15571804f391dc97de6d80c90325ded006aee500
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>

tests/dsp/firmware_update.cpp

diff --git a/tests/dsp/firmware_update.cpp b/tests/dsp/firmware_update.cpp
index 8c2be11..1495fd8 100644
--- a/tests/dsp/firmware_update.cpp
+++ b/tests/dsp/firmware_update.cpp
@@ -1987,7 +1987,9 @@
     // Further decode the version strings
     rc = decode_downstream_device_parameter_table_entry_versions(
         &versions, &entry_version.entry, entry_version.active_comp_ver_str,
-        entry_version.pending_comp_ver_str);
+        sizeof(entry_version.active_comp_ver_str),
+        entry_version.pending_comp_ver_str,
+        sizeof(entry_version.pending_comp_ver_str));
     struct pldm_downstream_device_parameter_entry entry = entry_version.entry;
     EXPECT_EQ(rc, 0);
 
@@ -2049,7 +2051,9 @@
 
     int rc = decode_downstream_device_parameter_table_entry_versions(
         &versions, &entryVersion.entry, entryVersion.active_comp_ver_str,
-        entryVersion.pending_comp_ver_str);
+        sizeof(entryVersion.active_comp_ver_str),
+        entryVersion.pending_comp_ver_str,
+        sizeof(entryVersion.pending_comp_ver_str));
 
     EXPECT_EQ(rc, 0);
     EXPECT_EQ(0, memcmp(entryVersion.active_comp_ver_str, versions.ptr,
@@ -2086,7 +2090,9 @@
 
     int rc = decode_downstream_device_parameter_table_entry_versions(
         &versions, nullptr, entryVersion.active_comp_ver_str,
-        entryVersion.pending_comp_ver_str);
+        sizeof(entryVersion.active_comp_ver_str),
+        entryVersion.pending_comp_ver_str,
+        sizeof(entryVersion.pending_comp_ver_str));
     EXPECT_EQ(rc, -EINVAL);
 }
 #endif
@@ -2113,7 +2119,9 @@
     EXPECT_EQ(decode_downstream_device_parameter_table_entry_versions(
                   &versions, &entryVersion.entry,
                   entryVersion.active_comp_ver_str,
-                  entryVersion.pending_comp_ver_str),
+                  sizeof(entryVersion.active_comp_ver_str),
+                  entryVersion.pending_comp_ver_str,
+                  sizeof(entryVersion.pending_comp_ver_str)),
               -EOVERFLOW);
 }
 #endif