sensorhandler: fix buffer overrun in ipmi_fru_get_sdr
Change-Id: Ic12598027a92495e49f7cb06aa28f77c0727be44
Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
diff --git a/sensorhandler.cpp b/sensorhandler.cpp
index 9792299..1a44ddb 100644
--- a/sensorhandler.cpp
+++ b/sensorhandler.cpp
@@ -757,23 +757,18 @@
(FRU_RECORD_ID_START + fru->first), resp);
}
- if (req->bytes_to_read > (sizeof(*resp) - req->offset))
+ // Check for invalid offset size
+ if (req->offset > sizeof(record))
{
- dataLength = (sizeof(*resp) - req->offset);
- }
- else
- {
- dataLength = req->bytes_to_read;
+ return IPMI_CC_PARM_OUT_OF_RANGE;
}
- if (dataLength <= 0)
- {
- return IPMI_CC_REQ_DATA_LEN_INVALID;
- }
+ dataLength = std::min(static_cast<size_t>(req->bytes_to_read),
+ sizeof(record) - req->offset);
std::memcpy(resp->record_data,
reinterpret_cast<uint8_t*>(&record) + req->offset,
- (dataLength));
+ dataLength);
*data_len = dataLength;
*data_len += 2; // additional 2 bytes for next record ID