File dmidecode-avoid-oob-read-on-invalid-entry-point... of Package dmidecode

Overview Repositories Revisions Requests Users Attributes Meta

File dmidecode-avoid-oob-read-on-invalid-entry-point-length.patch of Package dmidecode

From: Jean Delvare <jdelvare@suse.de>
Date: Wed, 1 Aug 2018 09:54:45 +0200
Subject: dmidecode: Avoid OOB read on invalid entry point length
Git-commit: 8ff32018e8dd53c26d1f0daef118037fdae58c68
Patch-mainline: 3.2

Don't let the entry point checksum verification run beyond the end of
the buffer holding it (32 bytes).

This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
---
 dmidecode.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- a/dmidecode.c
+++ b/dmidecode.c
@@ -4713,6 +4713,15 @@ static int smbios3_decode(u8 *buf, const
 	u32 ver;
 	u64 offset;
 
+	/* Don't let checksum run beyond the buffer */
+	if (buf[0x06] > 0x20)
+	{
+		fprintf(stderr,
+			"Entry point length too large (%u bytes, expected %u).\n",
+			(unsigned int)buf[0x06], 0x18U);
+		return 0;
+	}
+
 	if (!checksum(buf, buf[0x06]))
 		return 0;
 
@@ -4751,6 +4760,15 @@ static int smbios_decode(u8 *buf, const
 {
 	u16 ver;
 
+	/* Don't let checksum run beyond the buffer */
+	if (buf[0x05] > 0x20)
+	{
+		fprintf(stderr,
+			"Entry point length too large (%u bytes, expected %u).\n",
+			(unsigned int)buf[0x05], 0x1FU);
+		return 0;
+	}
+
 	if (!checksum(buf, buf[0x05])
 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
 	 || !checksum(buf + 0x10, 0x0F))

Places

File dmidecode-avoid-oob-read-on-invalid-entry-point-length.patch of Package dmidecode

Places