diff options
| author | Edward O'Callaghan <quasisec@google.com> | 2022-02-02 17:15:05 +1100 |
|---|---|---|
| committer | Nico Huber <nico.h@gmx.de> | 2022-02-03 22:27:51 +0000 |
| commit | c26f27bef8cde6249dab86f4d46943260734793e (patch) | |
| tree | ea4c66cbfaac85dd866bd1b0d63c396ef5b2b1ab /fmap.c | |
| parent | ac68a9e2a8766604efb9d6dfacee59590dcacce5 (diff) | |
| download | flashrom-c26f27bef8cde6249dab86f4d46943260734793e.tar.gz flashrom-c26f27bef8cde6249dab86f4d46943260734793e.tar.bz2 flashrom-c26f27bef8cde6249dab86f4d46943260734793e.zip | |
fmap.c: Avoid undefined behaviour with fmap_lsearch([len:=0])
Calling libflashrom entry-points that internally dispatch to
fmap_lsearch() can result in a integer overflow. Therefore
validate the length paramter before attempting to use it.
BUG=none
TEST=`make`
Change-Id: Ifb408c55c3b69ddff453dcc704b7389298050473
Signed-off-by: Edward O'Callaghan <quasisec@google.com>
Spotted-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/61545
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'fmap.c')
| -rw-r--r-- | fmap.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -96,6 +96,9 @@ static off_t fmap_lsearch(const uint8_t *buf, size_t len) off_t offset; bool fmap_found = 0; + if (len < sizeof(struct fmap)) + return -1; + for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) { if (is_valid_fmap((struct fmap *)&buf[offset])) { fmap_found = 1; |