Nico Huber has uploaded this change for review.

View Change

ich_descriptors: Fix range checks for dumps

These explicit off-by-one calculations were... off-by-one.

Original-Change-Id: If57c92ba28f91c4d72123ef0cfd2d9d5ac0a0656
Original-Reviewed-on: https://review.coreboot.org/19031
Original-Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Original-Reviewed-by: David Hendricks <david.hendricks@gmail.com>

Change-Id: I8ff9e54aba01aea6e2714a13a3efe0d2bb9714de
Signed-off-by: Nico Huber <nico.huber@secunet.com>
---
M ich_descriptors.c
1 file changed, 5 insertions(+), 5 deletions(-)

git pull ssh://review.coreboot.org:29418/flashrom refs/changes/00/21800/1

diff --git a/ich_descriptors.c b/ich_descriptors.c
index 4af8764..ecc2b95 100644
--- a/ich_descriptors.c
+++ b/ich_descriptors.c
@@ -719,7 +719,7 @@
 	}
 
 	/* map */
-	if (len < (4 + pch_bug_offset) * 4 - 1)
+	if (len < (4 + pch_bug_offset) * 4)
 		return ICH_RET_OOB;
 	desc->content.FLVALSIG	= dump[0 + pch_bug_offset];
 	desc->content.FLMAP0	= dump[1 + pch_bug_offset];
@@ -727,14 +727,14 @@
 	desc->content.FLMAP2	= dump[3 + pch_bug_offset];
 
 	/* component */
-	if (len < (getFCBA(&desc->content) + 3 * 4 - 1))
+	if (len < getFCBA(&desc->content) + 3 * 4)
 		return ICH_RET_OOB;
 	desc->component.FLCOMP	= dump[(getFCBA(&desc->content) >> 2) + 0];
 	desc->component.FLILL	= dump[(getFCBA(&desc->content) >> 2) + 1];
 	desc->component.FLPB	= dump[(getFCBA(&desc->content) >> 2) + 2];
 
 	/* region */
-	if (len < (getFRBA(&desc->content) + 5 * 4 - 1))
+	if (len < getFRBA(&desc->content) + 5 * 4)
 		return ICH_RET_OOB;
 	desc->region.FLREGs[0] = dump[(getFRBA(&desc->content) >> 2) + 0];
 	desc->region.FLREGs[1] = dump[(getFRBA(&desc->content) >> 2) + 1];
@@ -743,7 +743,7 @@
 	desc->region.FLREGs[4] = dump[(getFRBA(&desc->content) >> 2) + 4];
 
 	/* master */
-	if (len < (getFMBA(&desc->content) + 3 * 4 - 1))
+	if (len < getFMBA(&desc->content) + 3 * 4)
 		return ICH_RET_OOB;
 	desc->master.FLMSTR1 = dump[(getFMBA(&desc->content) >> 2) + 0];
 	desc->master.FLMSTR2 = dump[(getFMBA(&desc->content) >> 2) + 1];
@@ -758,7 +758,7 @@
 	 * the maximum of 255 gives us 127.5 SPI components(!?) 8 bytes each. A
 	 * check ensures that the maximum offset actually accessed is available.
 	 */
-	if (len < (getVTBA(&desc->upper) + (desc->upper.VTL / 2 * 8) - 1))
+	if (len < getVTBA(&desc->upper) + (desc->upper.VTL / 2 * 8))
 		return ICH_RET_OOB;
 
 	for (i = 0; i < desc->upper.VTL/2; i++) {

To view, visit change 21800. To unsubscribe, visit settings.