dsp: firmware_update: Avoid integer overflow
A large fw_device_pkg_data_length could cause uint16_t
calc_min_record_length to wrap around. Instead use a size_t.
Change-Id: I1e0ee5a350d82cb477fd0955a11ded659a5c5933
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
diff --git a/src/dsp/firmware_update.c b/src/dsp/firmware_update.c
index 5c57171..09c4f66 100644
--- a/src/dsp/firmware_update.c
+++ b/src/dsp/firmware_update.c
@@ -436,7 +436,7 @@
uint16_t applicable_components_length =
component_bitmap_bit_length /
PLDM_FWUP_COMPONENT_BITMAP_MULTIPLE;
- uint16_t calc_min_record_length =
+ size_t calc_min_record_length =
sizeof(struct pldm_firmware_device_id_record) +
applicable_components_length +
data_record->comp_image_set_version_string_length +
diff --git a/tests/dsp/firmware_update.cpp b/tests/dsp/firmware_update.cpp
index 23a5d4f..3f3456d 100644
--- a/tests/dsp/firmware_update.cpp
+++ b/tests/dsp/firmware_update.cpp
@@ -455,6 +455,22 @@
&deviceIdRecHeader, &applicableComponents, &outCompImageSetVersionStr,
&recordDescriptors, &outFwDevicePkgData);
EXPECT_EQ(rc, PLDM_ERROR_INVALID_LENGTH);
+
+ // Large FirmwareDevicePackageDataLength could cause overflow in calculation
+ constexpr std::array<uint8_t, 49> invalidRecord5{
+ 0x31, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x0e,
+ // FirmwareDevicePackageDataLength = 0xffff
+ 0xff, 0xff,
+ //
+ 0x93, 0x01, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x72,
+ 0x69, 0x6e, 0x67, 0x31, 0x02, 0x00, 0x10, 0x00, 0x12, 0x44, 0xd2, 0x64,
+ 0x8d, 0x7d, 0x47, 0x18, 0xa0, 0x30, 0xfc, 0x8a, 0x56, 0x58, 0x7d, 0x5b,
+ 0xab, 0xcd};
+ rc = decode_firmware_device_id_record(
+ invalidRecord5.data(), invalidRecord5.size(), componentBitmapBitLength,
+ &deviceIdRecHeader, &applicableComponents, &outCompImageSetVersionStr,
+ &recordDescriptors, &outFwDevicePkgData);
+ EXPECT_EQ(rc, PLDM_ERROR_INVALID_LENGTH);
}
TEST(DecodeDescriptors, goodPath3Descriptors)