dsp: platform: Bounds check encode_sensor_state_pdr()
```
../src/dsp/platform.c: In function ‘encode_state_sensor_pdr’:
../src/dsp/platform.c:152:9: error: use of attacker-controlled value ‘possible_states_size’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
152 | memcpy(sensor->possible_states, possible_states, possible_states_size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: I682beae26d346e474825a393da7b5248d3166fbf
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/src/dsp/platform.c b/src/dsp/platform.c
index 850ed71..5391f61 100644
--- a/src/dsp/platform.c
+++ b/src/dsp/platform.c
@@ -93,11 +93,25 @@
const struct state_sensor_possible_states *const possible_states,
const size_t possible_states_size, size_t *const actual_size)
{
- // Encode possible states
-
size_t calculated_possible_states_size = 0;
+ if (!sensor || !possible_states || !actual_size) {
+ return PLDM_ERROR;
+ }
+
+ if (SIZE_MAX - (sizeof(*sensor) - sizeof(sensor->possible_states)) <
+ possible_states_size) {
+ return PLDM_ERROR;
+ }
+
+ if (allocation_size <
+ (sizeof(*sensor) - sizeof(sensor->possible_states) +
+ possible_states_size)) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
{
+ // Encode possible states
char *states_ptr = (char *)possible_states;
char *const begin_states_ptr = states_ptr;
@@ -126,11 +140,6 @@
*actual_size = (sizeof(struct pldm_state_sensor_pdr) +
possible_states_size - sizeof(sensor->possible_states));
- if (allocation_size < *actual_size) {
- *actual_size = 0;
- return PLDM_ERROR_INVALID_LENGTH;
- }
-
// Encode rest of PDR
sensor->hdr.version = 1;