You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
87 lines
2.0 KiB
87 lines
2.0 KiB
7 years ago
|
From e9ce922ddf2ec6c1095f42ee9857f369084761c3 Mon Sep 17 00:00:00 2001
|
||
|
From: Peter Jones <pjones@redhat.com>
|
||
|
Date: Tue, 9 May 2017 15:34:08 -0400
|
||
|
Subject: [PATCH 23/24] efi_loadopt_create(): avoid NULL dereference
|
||
|
|
||
|
covscan rightly points out that dp is allowed to be NULL (and so is
|
||
|
buf), so we can't pass those in to memcpy() in those cases.
|
||
|
|
||
|
So don't.
|
||
|
|
||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||
|
---
|
||
|
src/loadopt.c | 46 +++++++++++++++++++++++++++-------------------
|
||
|
1 file changed, 27 insertions(+), 19 deletions(-)
|
||
|
|
||
|
diff --git a/src/loadopt.c b/src/loadopt.c
|
||
|
index 5301f3d..cf0886d 100644
|
||
|
--- a/src/loadopt.c
|
||
|
+++ b/src/loadopt.c
|
||
|
@@ -56,36 +56,44 @@ efi_loadopt_create(uint8_t *buf, ssize_t size, uint32_t attributes,
|
||
|
}
|
||
|
|
||
|
if (!buf) {
|
||
|
+invalid:
|
||
|
errno = EINVAL;
|
||
|
return -1;
|
||
|
}
|
||
|
|
||
|
- if (!optional_data && optional_data_size != 0) {
|
||
|
- errno = EINVAL;
|
||
|
- return -1;
|
||
|
- }
|
||
|
+ if (!optional_data && optional_data_size != 0)
|
||
|
+ goto invalid;
|
||
|
|
||
|
- if (!dp && dp_size == 0) {
|
||
|
- errno = EINVAL;
|
||
|
- return -1;
|
||
|
- }
|
||
|
+ if ((!dp && dp_size == 0) || dp_size < 0)
|
||
|
+ goto invalid;
|
||
|
+
|
||
|
+ if (dp) {
|
||
|
+ if (!efidp_is_valid(dp, dp_size))
|
||
|
+ goto invalid;
|
||
|
|
||
|
- uint8_t *pos = buf;
|
||
|
+ if (efidp_size(dp) != dp_size)
|
||
|
+ goto invalid;
|
||
|
+ }
|
||
|
|
||
|
- *(uint32_t *)pos = attributes;
|
||
|
- pos += sizeof (attributes);
|
||
|
+ if (buf) {
|
||
|
+ uint8_t *pos = buf;
|
||
|
+ *(uint32_t *)pos = attributes;
|
||
|
+ pos += sizeof (attributes);
|
||
|
|
||
|
- *(uint16_t *)pos = dp_size;
|
||
|
- pos += sizeof (uint16_t);
|
||
|
+ *(uint16_t *)pos = dp_size;
|
||
|
+ pos += sizeof (uint16_t);
|
||
|
|
||
|
- utf8_to_ucs2((uint16_t *)pos, desc_len, 1, (uint8_t *)description);
|
||
|
- pos += desc_len;
|
||
|
+ utf8_to_ucs2((uint16_t *)pos, desc_len, 1,
|
||
|
+ (uint8_t *)description);
|
||
|
+ pos += desc_len;
|
||
|
|
||
|
- memcpy(pos, dp, dp_size);
|
||
|
- pos += dp_size;
|
||
|
+ if (dp)
|
||
|
+ memcpy(pos, dp, dp_size);
|
||
|
+ pos += dp_size;
|
||
|
|
||
|
- if (optional_data && optional_data_size > 0)
|
||
|
- memcpy(pos, optional_data, optional_data_size);
|
||
|
+ if (optional_data && optional_data_size > 0)
|
||
|
+ memcpy(pos, optional_data, optional_data_size);
|
||
|
+ }
|
||
|
|
||
|
return sz;
|
||
|
}
|
||
|
--
|
||
|
2.12.2
|
||
|
|