Nico Huber submitted this change.

View Change

Approvals: build bot (Jenkins): Verified Nico Huber: Looks good to me, approved Julius Werner: Looks good to me, approved Angel Pons: Looks good to me, approved 
fmap.c: Avoid undefined behaviour with fmap_lsearch([len:=0])

Calling libflashrom entry-points that internally dispatch to
fmap_lsearch() can result in a integer overflow. Therefore
validate the length paramter before attempting to use it.

BUG=none
TEST=`make`

Change-Id: Ifb408c55c3b69ddff453dcc704b7389298050473
Signed-off-by: Edward O'Callaghan <quasisec@google.com>
Spotted-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/61545
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
M fmap.c
1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/fmap.c b/fmap.c
index b18cbf7..0236b62 100644
--- a/fmap.c
+++ b/fmap.c
@@ -96,6 +96,9 @@
 	off_t offset;
 	bool fmap_found = 0;
 
+	if (len < sizeof(struct fmap))
+		return -1;
+
 	for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) {
 		if (is_valid_fmap((struct fmap *)&buf[offset])) {
 			fmap_found = 1;

To view, visit change 61545. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: flashrom
Gerrit-Branch: master
Gerrit-Change-Id: Ifb408c55c3b69ddff453dcc704b7389298050473
Gerrit-Change-Number: 61545
Gerrit-PatchSet: 3
Gerrit-Owner: Edward O'Callaghan <quasisec@chromium.org>
Gerrit-Reviewer: Angel Pons <th3fanbus@gmail.com>
Gerrit-Reviewer: Julius Werner <jwerner@chromium.org>
Gerrit-Reviewer: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-MessageType: merged