ACK: [PATCH] dmicheck: fix incorrect boundary checks for various types
Colin Ian King
colin.king at canonical.com
Mon Sep 10 13:05:14 UTC 2018
On 04/09/18 21:40, Alex Hung wrote:
> Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43.
>
> Signed-off-by: Alex Hung <alex.hung at canonical.com>
> ---
> src/dmi/dmicheck/dmicheck.c | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
> index 8497c2ab..97305eca 100644
> --- a/src/dmi/dmicheck/dmicheck.c
> +++ b/src/dmi/dmicheck/dmicheck.c
> @@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw,
> dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18);
> dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19);
> dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a);
> - if (hdr->length < 0x20)
> + if (hdr->length < 0x1c)
> break;
> dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7);
> + if (hdr->length < 0x20)
> + break;
> dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31);
> - if (hdr->length < 0x28)
> + if (hdr->length < 0x3c)
> break;
> dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7);
> dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15);
> @@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw,
>
> case 26: /* 7.27 */
> table = "Voltage Probe (Type 26)";
> - if (hdr->length < 0x14)
> + if (hdr->length < 0x16)
> break;
> dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
> dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
> @@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw,
>
> case 27: /* 7.28 */
> table = "Cooling Device (Type 27)";
> - if (hdr->length < 0xc)
> + if (hdr->length < 0xe)
> break;
> val = data[0x06] & 0x1f;
> if (!(((val >= 0x01) && (val <= 0x09)) ||
> @@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw,
>
> case 28: /* 7.29 */
> table = "Temperature Probe (Type 28)";
> - if (hdr->length < 0x14)
> + if (hdr->length < 0x16)
> break;
> dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
> dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f);
> @@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw,
>
> case 29: /* 7.30 */
> table = "Electrical Current Probe (Type 29)";
> - if (hdr->length < 0x14)
> + if (hdr->length < 0x16)
> break;
> dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
> dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
> @@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw,
>
> case 38: /* 7.39 */
> table = "IPMI Device Information (Type 38)";
> + if (hdr->length < 0x12)
> + break;
> dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4);
>
> dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2);
> @@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw,
>
> case 43: /* 7.44 */
> table = "TPM Device (Type 43)";
> - if (hdr->length < 0x16)
> + if (hdr->length < 0x1b)
> break;
> dmi_str_check(fw, table, addr, "Description", hdr, 0x12);
> dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63);
>
Good catches!
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the fwts-devel
mailing list