commit 88a349c517f4d719983c8740455d8b99585f72ae
author John Wang <wangzqbj@inspur.com> Mon Jan 20 14:19:49 2020 +0800
committer Deepak Kodihalli <dkodihal@in.ibm.com> Mon Feb 10 07:36:47 2020 -0600
tree d6836f7185ba32535d1d409c9d8891d6dff340f4
parent b0da7a0b05d221b53d8ec17c5d178c90d8d7e88f

libpldm: bios_table: Fix a possible overflow

pldm_bios_table_string_entry_decode_string appends \0
at the end of the string which could exceed the buffer size

Signed-off-by: John Wang <wangzqbj@inspur.com>
Change-Id: I43f67e1b7631e9f6043b75846baf123adf1f7fe1

libpldmresponder/bios.cpp

diff --git a/libpldmresponder/bios.cpp b/libpldmresponder/bios.cpp
index 3f0d4ec..b0b12d8 100644
--- a/libpldmresponder/bios.cpp
+++ b/libpldmresponder/bios.cpp
@@ -331,19 +331,20 @@
     BIOSStringTable.load(table);
     auto stringEntry = pldm_bios_table_string_find_by_handle(
         table.data(), table.size(), stringHdl);
-    std::string name;
     if (stringEntry == nullptr)
     {
         std::cerr << "Reached end of BIOS string table,did not find "
                   << "string name for handle, STRING_HANDLE=" << stringHdl
                   << "\n";
+        throw InternalFailure();
     }
     auto strLength =
         pldm_bios_table_string_entry_decode_string_length(stringEntry);
-    name.resize(strLength);
-    pldm_bios_table_string_entry_decode_string(stringEntry, name.data(),
-                                               name.size());
-    return name;
+    std::vector<char> buffer(strLength + 1);
+    pldm_bios_table_string_entry_decode_string(stringEntry, buffer.data(),
+                                               buffer.size());
+
+    return std::string(buffer.data(), buffer.data() + strLength);
 }
 
 namespace bios_type_enum