sensorhandler: fix buffer overrun in ipmi_fru_get_sdr Change-Id: Ic12598027a92495e49f7cb06aa28f77c0727be44 Signed-off-by: Emily Shaffer <emilyshaffer@google.com>

commit: 0fbdbce22771dac6fe8d651e4c8155645807b83d [log] [tgz]
author: Emily Shaffer <emilyshaffer@google.com> Thu Sep 27 09:30:41 2018 -0700
committer: Emily Shaffer <emilyshaffer@google.com> Fri Sep 28 13:22:19 2018 -0700
tree: 97e704f7b003a1bea91ebbfd244464686f5ed5b0
parent: fdfe501ea71c4acb9464b2076279d794e622d929 [diff]
diff --git a/sensorhandler.cpp b/sensorhandler.cpp
index 9792299..1a44ddb 100644
--- a/sensorhandler.cpp
+++ b/sensorhandler.cpp

@@ -757,23 +757,18 @@
             (FRU_RECORD_ID_START + fru->first), resp);
     }
 
-    if (req->bytes_to_read > (sizeof(*resp) - req->offset))
+    // Check for invalid offset size
+    if (req->offset > sizeof(record))
     {
-        dataLength = (sizeof(*resp) - req->offset);
-    }
-    else
-    {
-        dataLength = req->bytes_to_read;
+        return IPMI_CC_PARM_OUT_OF_RANGE;
     }
 
-    if (dataLength <= 0)
-    {
-        return IPMI_CC_REQ_DATA_LEN_INVALID;
-    }
+    dataLength = std::min(static_cast<size_t>(req->bytes_to_read),
+                          sizeof(record) - req->offset);
 
     std::memcpy(resp->record_data,
                 reinterpret_cast<uint8_t*>(&record) + req->offset,
-                (dataLength));
+                dataLength);
 
     *data_len = dataLength;
     *data_len += 2; // additional 2 bytes for next record ID
commit	0fbdbce22771dac6fe8d651e4c8155645807b83d	[log] [tgz]
author	Emily Shaffer <emilyshaffer@google.com>	Thu Sep 27 09:30:41 2018 -0700
committer	Emily Shaffer <emilyshaffer@google.com>	Fri Sep 28 13:22:19 2018 -0700
tree	97e704f7b003a1bea91ebbfd244464686f5ed5b0
parent	fdfe501ea71c4acb9464b2076279d794e622d929 [diff]