dsp: fru: Bounds check encode_fru_record()
```
../src/dsp/fru.c:200:17: error: use of attacker-controlled value ‘tlvs_size’ as size without upper-bounds checking [CWE-129] [-Werror=analyzer-tainted-size]
200 | memcpy(fru_table + *curr_size, tlvs, tlvs_size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Fixes: 9c76679224cf ("libpldm: Migrate to subproject")
Change-Id: Ibc2831c5fd9665bb2645d49c856fc1a77c6e1feb
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
diff --git a/src/dsp/fru.c b/src/dsp/fru.c
index 7d1906c..6de41b4 100644
--- a/src/dsp/fru.c
+++ b/src/dsp/fru.c
@@ -184,7 +184,20 @@
if (fru_table == NULL || curr_size == NULL || !tlvs_size) {
return PLDM_ERROR_INVALID_DATA;
}
- if ((*curr_size + record_hdr_size + tlvs_size) != total_size) {
+
+ if (SIZE_MAX - *curr_size < record_hdr_size) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (SIZE_MAX - (*curr_size + record_hdr_size) < tlvs_size) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (total_size < *curr_size + record_hdr_size) {
+ return PLDM_ERROR_INVALID_LENGTH;
+ }
+
+ if (total_size - (*curr_size + record_hdr_size) < tlvs_size) {
return PLDM_ERROR_INVALID_LENGTH;
}