[PATCH] dmi: dmicheck: add some simple sanity checks to table size

[Colin King]

From: Colin Ian King <colin.king at canonical.com>

The DMI table size should be sanity checked as an incorrect value
from the header may provide a bogus size and we could end up allocating
a buffer that will lead to a kernel OOM killer on fwts. The 32 bit
case the DMI tables are limited to 64K anyhow, but for the 64 bit case
I've limited this to 0xffffff rather than the 32 bit limit of 0xffffffff
as I really doubt tables are going to be larger than this.

Signed-off-by: Colin Ian King <colin.king at canonical.com>
---
 src/dmi/dmicheck/dmicheck.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
index ad69912..4fa993d 100644
--- a/src/dmi/dmicheck/dmicheck.c
+++ b/src/dmi/dmicheck/dmicheck.c
@@ -332,6 +332,13 @@ static void* dmi_table_smbios(fwts_framework *fw, fwts_smbios_entry *entry)
 	void *mem;
 	char anchor[8];
 
+	/* 32 bit entry sanity check on length */
+	if ((length == 0) || (length > 0xffff)) {
+		fwts_log_info(fw, "SMBIOS table size of %zu bytes looks "
+			"suspicious",  length);
+		return NULL;
+	}
+
 	mem = fwts_mmap(addr, length);
 	if (mem != FWTS_MAP_FAILED) {
 		table = malloc(length);
@@ -366,6 +373,13 @@ static void* dmi_table_smbios30(fwts_framework *fw, fwts_smbios30_entry *entry)
 	void *mem;
 	char anchor[8];
 
+	/* 64 bit entry sanity check on length */
+	if ((length == 0) || (length > 0xffffff)) {
+		fwts_log_info(fw, "SMBIOS table size of %zu bytes looks "
+			"suspicious",  length);
+		return NULL;
+	}
+
 	mem = fwts_mmap(addr, length);
 	if (mem != FWTS_MAP_FAILED) {
 		table = malloc(length);
-- 
2.7.0.rc3