Hung-Te Lin has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/33016
Change subject: src/driver/vpd: Check decoded content length before invoking callback ......................................................................
src/driver/vpd: Check decoded content length before invoking callback
When decoding, the content (key or value) part should be also checked before we jump into callback because the callback function has no idea if the contents are all valid.
BUG=chromium:967209 TEST=make; boots on at least kukui boards.
Change-Id: I3928e9c43cb87caf93fb44ee10434ce80f0a188a Signed-off-by: Hung-Te Lin hungte@chromium.org --- M src/drivers/vpd/lib_vpd.c 1 file changed, 4 insertions(+), 4 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/16/33016/1
diff --git a/src/drivers/vpd/lib_vpd.c b/src/drivers/vpd/lib_vpd.c index 0744a71..f235a82 100644 --- a/src/drivers/vpd/lib_vpd.c +++ b/src/drivers/vpd/lib_vpd.c @@ -79,8 +79,8 @@ if (VPD_OK != decodeLen(max_len - *consumed, &input_buf[*consumed], &key_len, &decoded_len) || - *consumed + decoded_len >= max_len) { - return VPD_FAIL; + *consumed + decoded_len + key_len >= max_len) { + return VPD_FAIL; }
*consumed += decoded_len; @@ -91,8 +91,8 @@ if (VPD_OK != decodeLen(max_len - *consumed, &input_buf[*consumed], &value_len, &decoded_len) || - *consumed + decoded_len > max_len) { - return VPD_FAIL; + *consumed + decoded_len + value_len > max_len) { + return VPD_FAIL; } *consumed += decoded_len; value = &input_buf[*consumed];