base/SOURCES/0010-efidp_append_path-erro...

From 62e8de172dfa707990e3f2721954290499c0e14f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 1 May 2017 14:54:15 -0400
Subject: [PATCH 10/22] efidp_append_path(): error check the right variable.

We do lsz=efidp_size(dp); rsz=efidp_size(dn); and then we error check
lsz twice.  One should be rsz.

We also actually do the whole thing with lsz twice anyway, and fail to
check that dp isn't NULL first.

We're also not error checking that the buffer from our addition is
actually large enough to hold something meaningful.  So do that too.

None of that is right, so fix it.

Covscan completely failed to notice this, but complained about something
irrelevant later on in the code that's a result.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/dp.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/dp.c b/src/dp.c
index e9a257e..e700af9 100644
--- a/src/dp.c
+++ b/src/dp.c
@@ -139,7 +139,7 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)
 	}
 
 	rsz = efidp_size(dp1);
-	if (lsz < 0) {
+	if (rsz < 0) {
 		efi_error("efidp_size(dp1) returned error");
 		return -1;
 	}
@@ -166,6 +166,13 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)
 		efi_error("arithmetic overflow computing allocation size");
 		return -1;
 	}
+
+	if (newsz < (ssize_t)sizeof(efidp_header)) {
+		errno = EINVAL;
+		efi_error("allocation for new device path is smaller than device path header.");
+		return -1;
+	}
+
 	new = malloc(newsz);
 	if (!new) {
 		efi_error("allocation failed");
@@ -195,10 +202,11 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)
 		return rc;
 	}
 
-	lsz = efidp_size(dp);
-	if (lsz < 0) {
-		efi_error("efidp_size(dp) returned error");
-		return -1;
+	if (!dp && dn) {
+		rc = efidp_duplicate_path(dn, out);
+		if (rc < 0)
+			efi_error("efidp_duplicate_path() failed");
+		return rc;
 	}
 
 	if (dp && !dn) {
@@ -209,13 +217,17 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)
 	}
 
 	lsz = efidp_size(dp);
-	if (lsz < 0)
+	if (lsz < 0) {
+		efi_error("efidp_size(dp) returned error");
 		return -1;
+	}
 
 
 	rsz = efidp_node_size(dn);
-	if (rsz < 0)
+	if (rsz < 0) {
+		efi_error("efidp_size(dn) returned error");
 		return -1;
+	}
 
 	if (!dp && dn) {
 		if (add(rsz, sizeof(end_entire), &newsz)) {
-- 
2.12.2
efivar package update Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org> 6 years ago			`From 62e8de172dfa707990e3f2721954290499c0e14f Mon Sep 17 00:00:00 2001`
			`From: Peter Jones <pjones@redhat.com>`
			`Date: Mon, 1 May 2017 14:54:15 -0400`
			`Subject: [PATCH 10/22] efidp_append_path(): error check the right variable.`

			`We do lsz=efidp_size(dp); rsz=efidp_size(dn); and then we error check`
			`lsz twice. One should be rsz.`

			`We also actually do the whole thing with lsz twice anyway, and fail to`
			`check that dp isn't NULL first.`

			`We're also not error checking that the buffer from our addition is`
			`actually large enough to hold something meaningful. So do that too.`

			`None of that is right, so fix it.`

			`Covscan completely failed to notice this, but complained about something`
			`irrelevant later on in the code that's a result.`

			`Signed-off-by: Peter Jones <pjones@redhat.com>`
			`---`
			`src/dp.c \| 26 +++++++++++++++++++-------`
			`1 file changed, 19 insertions(+), 7 deletions(-)`

			`diff --git a/src/dp.c b/src/dp.c`
			`index e9a257e..e700af9 100644`
			`--- a/src/dp.c`
			`+++ b/src/dp.c`
			`@@ -139,7 +139,7 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)`
			`}`

			`rsz = efidp_size(dp1);`
			`- if (lsz < 0) {`
			`+ if (rsz < 0) {`
			`efi_error("efidp_size(dp1) returned error");`
			`return -1;`
			`}`
			`@@ -166,6 +166,13 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)`
			`efi_error("arithmetic overflow computing allocation size");`
			`return -1;`
			`}`
			`+`
			`+ if (newsz < (ssize_t)sizeof(efidp_header)) {`
			`+ errno = EINVAL;`
			`+ efi_error("allocation for new device path is smaller than device path header.");`
			`+ return -1;`
			`+ }`
			`+`
			`new = malloc(newsz);`
			`if (!new) {`
			`efi_error("allocation failed");`
			`@@ -195,10 +202,11 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)`
			`return rc;`
			`}`

			`- lsz = efidp_size(dp);`
			`- if (lsz < 0) {`
			`- efi_error("efidp_size(dp) returned error");`
			`- return -1;`
			`+ if (!dp && dn) {`
			`+ rc = efidp_duplicate_path(dn, out);`
			`+ if (rc < 0)`
			`+ efi_error("efidp_duplicate_path() failed");`
			`+ return rc;`
			`}`

			`if (dp && !dn) {`
			`@@ -209,13 +217,17 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)`
			`}`

			`lsz = efidp_size(dp);`
			`- if (lsz < 0)`
			`+ if (lsz < 0) {`
			`+ efi_error("efidp_size(dp) returned error");`
			`return -1;`
			`+ }`


			`rsz = efidp_node_size(dn);`
			`- if (rsz < 0)`
			`+ if (rsz < 0) {`
			`+ efi_error("efidp_size(dn) returned error");`
			`return -1;`
			`+ }`

			`if (!dp && dn) {`
			`if (add(rsz, sizeof(end_entire), &newsz)) {`
			`--`
			`2.12.2`