commit edb8bb069b5a5406dd06a6ef38251372ea988f5c
author Emily Shaffer <emilyshaffer@google.com> Thu Sep 27 14:50:15 2018 -0700
committer Emily Shaffer <emilyshaffer@google.com> Mon Oct 01 14:08:15 2018 -0700
tree dc084a9958431f6f377fc967eb53498ae19e2d2d
parent 6c9ee5196abdcf361e20fcec276b0c188f9ba803

apphandler: Fix buffer underflow in ipmi_app_get_device_guid

Change-Id: I7e27130bbe8bfc847f81968d850abacb8914ad78
Signed-off-by: Emily Shaffer <emilyshaffer@google.com>

apphandler.cpp

diff --git a/apphandler.cpp b/apphandler.cpp
index cbbd5f4..8c7df7c 100644
--- a/apphandler.cpp
+++ b/apphandler.cpp
@@ -447,6 +447,9 @@
     int i = 0;
     char* tokptr = NULL;
     char* id_octet = NULL;
+    size_t total_uuid_size = 0;
+    // 1 byte of resp is built from 2 chars of uuid.
+    constexpr size_t max_uuid_size = 2 * resp_size;
 
     // Status code.
     ipmi_ret_t rc = IPMI_CC_OK;
@@ -495,6 +498,15 @@
         // Divide it by 2 for the array size since 1 byte is built from 2 chars
         int tmp_size = strlen(id_octet) / 2;
 
+        // Check if total UUID size has been exceeded
+        if ((total_uuid_size += strlen(id_octet)) > max_uuid_size)
+        {
+            // Error - UUID too long to store
+            log<level::ERR>("UUID too long", entry("UUID=%s", uuid));
+            rc = IPMI_CC_RESPONSE_ERROR;
+            goto finish;
+        }
+
         for (i = 0; i < tmp_size; i++)
         {
             // Holder of the 2 chars that will become a byte