sensorhandler: fix buffer overflow in Get SDR
Change-Id: Id49f6294a506a870696554715b4835c7d7e6207b
Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
diff --git a/sensorhandler.cpp b/sensorhandler.cpp
index 1a44ddb..e676c3e 100644
--- a/sensorhandler.cpp
+++ b/sensorhandler.cpp
@@ -848,9 +848,23 @@
get_sdr::response::set_next_record_id(sensor->first, resp);
}
- *data_len = sizeof(get_sdr::GetSdrResp) - req->offset;
- std::memcpy(resp->record_data, (char*)&record + req->offset,
- sizeof(get_sdr::SensorDataFullRecord) - req->offset);
+ if (req->offset > sizeof(record))
+ {
+ return IPMI_CC_PARM_OUT_OF_RANGE;
+ }
+
+ // data_len will ultimately be the size of the record, plus
+ // the size of the next record ID:
+ *data_len = std::min(static_cast<size_t>(req->bytes_to_read),
+ sizeof(record) - req->offset);
+
+ std::memcpy(resp->record_data,
+ reinterpret_cast<uint8_t*>(&record) + req->offset,
+ *data_len);
+
+ // data_len should include the LSB and MSB:
+ *data_len += sizeof(resp->next_record_id_lsb)
+ + sizeof(resp->next_record_id_msb);
}
return ret;