[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[dmidecode] [PATCH v2] dmidecode: Fortify entry point length checks
|
From: |
Jean Delvare |
|
Subject: |
[dmidecode] [PATCH v2] dmidecode: Fortify entry point length checks |
|
Date: |
Fri, 23 Sep 2022 13:27:31 +0200 |
Ensure that the SMBIOS entry point is long enough to include all the
fields we need. Otherwise it is pointless to even attempt to verify
its checksum.
A similar check was added to the SMBIOS entry point parser in the
Linux kernel.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
---
Changes since v1:
* Accept length 0x1E for 32-bit SMBIOS entry points, and add a comment
explaining why.
dmidecode.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- dmidecode.orig/dmidecode.c
+++ dmidecode/dmidecode.c
@@ -5700,7 +5700,8 @@ static int smbios3_decode(u8 *buf, const
return 0;
}
- if (!checksum(buf, buf[0x06]))
+ if (buf[0x06] < 0x18
+ || !checksum(buf, buf[0x06]))
return 0;
ver = (buf[0x07] << 16) + (buf[0x08] << 8) + buf[0x09];
@@ -5747,7 +5748,12 @@ static int smbios_decode(u8 *buf, const
return 0;
}
- if (!checksum(buf, buf[0x05])
+ /*
+ * The size of this structure is 0x1F bytes, but we also accept value
+ * 0x1E due to a mistake in SMBIOS specification version 2.1.
+ */
+ if (buf[0x05] < 0x1E
+ || !checksum(buf, buf[0x05])
|| memcmp(buf + 0x10, "_DMI_", 5) != 0
|| !checksum(buf + 0x10, 0x0F))
return 0;
--
Jean Delvare
SUSE L3 Support
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [dmidecode] [PATCH v2] dmidecode: Fortify entry point length checks,
Jean Delvare <=