apphandler: Fix buffer underflow in ipmi_app_get_device_guid
Change-Id: I7e27130bbe8bfc847f81968d850abacb8914ad78
Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
diff --git a/apphandler.cpp b/apphandler.cpp
index cbbd5f4..8c7df7c 100644
--- a/apphandler.cpp
+++ b/apphandler.cpp
@@ -447,6 +447,9 @@
int i = 0;
char* tokptr = NULL;
char* id_octet = NULL;
+ size_t total_uuid_size = 0;
+ // 1 byte of resp is built from 2 chars of uuid.
+ constexpr size_t max_uuid_size = 2 * resp_size;
// Status code.
ipmi_ret_t rc = IPMI_CC_OK;
@@ -495,6 +498,15 @@
// Divide it by 2 for the array size since 1 byte is built from 2 chars
int tmp_size = strlen(id_octet) / 2;
+ // Check if total UUID size has been exceeded
+ if ((total_uuid_size += strlen(id_octet)) > max_uuid_size)
+ {
+ // Error - UUID too long to store
+ log<level::ERR>("UUID too long", entry("UUID=%s", uuid));
+ rc = IPMI_CC_RESPONSE_ERROR;
+ goto finish;
+ }
+
for (i = 0; i < tmp_size; i++)
{
// Holder of the 2 chars that will become a byte