dsp: fru: Bounds check encode_fru_record()
```
../src/dsp/fru.c:200:17: error: use of attacker-controlled value ‘tlvs_size’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
200 | memcpy(fru_table + *curr_size, tlvs, tlvs_size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: Ibc2831c5fd9665bb2645d49c856fc1a77c6e1feb
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 14aef6e..0c77048 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -135,6 +135,7 @@
decode_downstream_device_parameter_table_entry_versions()
12. oem: ibm: platform: Bounds check encode_bios_attribute_update_event_req()
13. dsp: fru: Bounds check encode_get_fru_record_by_option_resp()
+14. dsp: fru: Bounds check encode_fru_record()
## [0.9.1] - 2024-09-07
diff --git a/src/dsp/fru.c b/src/dsp/fru.c
index 7d1906c..6de41b4 100644
--- a/src/dsp/fru.c
+++ b/src/dsp/fru.c
@@ -184,7 +184,20 @@
if (fru_table == NULL || curr_size == NULL || !tlvs_size) {
return PLDM_ERROR_INVALID_DATA;
}
- if ((*curr_size + record_hdr_size + tlvs_size) != total_size) {
+
+ if (SIZE_MAX - *curr_size < record_hdr_size) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (SIZE_MAX - (*curr_size + record_hdr_size) < tlvs_size) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (total_size < *curr_size + record_hdr_size) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (total_size - (*curr_size + record_hdr_size) < tlvs_size) {
return PLDM_ERROR_INVALID_LENGTH;
}