ACK: [PATCH] dmi: dmicheck: add some simple sanity checks to table size
Alex Hung
alex.hung at canonical.com
Mon Jan 18 07:04:41 UTC 2016
On 2016-01-15 09:46 PM, Colin King wrote:
> From: Colin Ian King <colin.king at canonical.com>
>
> The DMI table size should be sanity checked as an incorrect value
> from the header may provide a bogus size and we could end up allocating
> a buffer that will lead to a kernel OOM killer on fwts. The 32 bit
> case the DMI tables are limited to 64K anyhow, but for the 64 bit case
> I've limited this to 0xffffff rather than the 32 bit limit of 0xffffffff
> as I really doubt tables are going to be larger than this.
>
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
> ---
> src/dmi/dmicheck/dmicheck.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
> index ad69912..4fa993d 100644
> --- a/src/dmi/dmicheck/dmicheck.c
> +++ b/src/dmi/dmicheck/dmicheck.c
> @@ -332,6 +332,13 @@ static void* dmi_table_smbios(fwts_framework *fw, fwts_smbios_entry *entry)
> void *mem;
> char anchor[8];
>
> + /* 32 bit entry sanity check on length */
> + if ((length == 0) || (length > 0xffff)) {
> + fwts_log_info(fw, "SMBIOS table size of %zu bytes looks "
> + "suspicious", length);
> + return NULL;
> + }
> +
> mem = fwts_mmap(addr, length);
> if (mem != FWTS_MAP_FAILED) {
> table = malloc(length);
> @@ -366,6 +373,13 @@ static void* dmi_table_smbios30(fwts_framework *fw, fwts_smbios30_entry *entry)
> void *mem;
> char anchor[8];
>
> + /* 64 bit entry sanity check on length */
> + if ((length == 0) || (length > 0xffffff)) {
> + fwts_log_info(fw, "SMBIOS table size of %zu bytes looks "
> + "suspicious", length);
> + return NULL;
> + }
> +
> mem = fwts_mmap(addr, length);
> if (mem != FWTS_MAP_FAILED) {
> table = malloc(length);
>
Acked-by: Alex Hung <alex.hung at canonical.com>
More information about the fwts-devel
mailing list