openwrt/flashrom
1
0
Fork 0
mirror of https://review.coreboot.org/flashrom.git synced 2025-04-27 23:22:37 +02:00
Code Issues Releases Wiki Activity

fmap.c: Avoid undefined behaviour with fmap_lsearch([len:=0])

Browse Source 
Calling libflashrom entry-points that internally dispatch to
fmap_lsearch() can result in a integer overflow. Therefore
validate the length paramter before attempting to use it.

BUG=none
TEST=`make`

Change-Id: Ifb408c55c3b69ddff453dcc704b7389298050473
Signed-off-by: Edward O'Callaghan <quasisec@google.com>
Spotted-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/61545
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
Edward O'Callaghan 2022-02-02 17:15:05 +11:00 committed by Nico Huber
parent ac68a9e2a8
commit c26f27bef8
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fmap.c
View File

@ -96,6 +96,9 @@ static off_t fmap_lsearch(const uint8_t *buf, size_t len)
off_t offset; off_t offset;
bool fmap_found = 0; bool fmap_found = 0;
if (len < sizeof(struct fmap))
return -1;
for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) { for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) {
if (is_valid_fmap((struct fmap *)&buf[offset])) { if (is_valid_fmap((struct fmap *)&buf[offset])) {
fmap_found = 1; fmap_found = 1;