Skip to content

Commit

Permalink
dp-hw.c: fix incorrect error handling of efidp_node_size() invocations
Browse files Browse the repository at this point in the history
One of our analysis tools noticed the following error:

 Error: OVERRUN (CWE-119):
 efivar-38/src/dp-hw.c:64: return_constant: Function call "efidp_node_size(dp)" may return -1.
 efivar-38/src/dp-hw.c:64: overrun-buffer-arg: Calling "format_hex_helper" with "(uint8_t *)dp + 4" and "efidp_node_size(dp) - 4L" is suspicious because of the very large index, 18446744073709551611. The index may be due to a negative parameter being interpreted as unsigned.
 #   62|                   format(buf, size, off, "Hardware",
 #   63|                          "HardwarePath(%d,", dp->subtype);
 #   64|->                 format_hex(buf, size, off, "Hardware", (uint8_t *)dp+4,
 #   65|                              efidp_node_size(dp)-4);
 #   66|                   format(buf, size, off, "Hardware", ")");

This patch adds error checking to that use of efidp_node_size().

Resolves: RHEL-27676
Signed-off-by: Peter Jones <pjones@redhat.com>
  • Loading branch information
vathpela committed Mar 6, 2024
1 parent d565afe commit cfb92bf
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions src/dp-hw.c
Original file line number Diff line number Diff line change
Expand Up @@ -58,13 +58,20 @@ _format_hw_dn(unsigned char *buf, size_t size, const_efidp dp)
format(buf, size, off, "BMC", "BMC(%d,0x%"PRIx64")",
dp->bmc.interface_type, dp->bmc.base_addr);
break;
default:
default: {
ssize_t sz = efidp_node_size(dp);

if (SUB(sz, 4, &sz) ||
sz < 0) {
efi_error("bad DP node size");
return -1;
}
format(buf, size, off, "Hardware",
"HardwarePath(%d,", dp->subtype);
format_hex(buf, size, off, "Hardware", (uint8_t *)dp+4,
efidp_node_size(dp)-4);
format_hex(buf, size, off, "Hardware", (uint8_t *)dp+4, sz);
format(buf, size, off, "Hardware", ")");
break;
}
}
return off;
}
Expand Down

0 comments on commit cfb92bf

Please sign in to comment.