File dmidecode-fortify-entry-point-length-checks.patch of Package dmidecode.28622

From: Jean Delvare <jdelvare@suse.de>
Date: Fri, 16 Dec 2022 10:36:55 +0100
Subject: dmidecode: Fortify entry point length checks
Git-commit: 67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9
Patch-mainline: 3.5

Ensure that the SMBIOS entry point is long enough to include all the
fields we need. Otherwise it is pointless to even attempt to verify
its checksum.

A similar check was added to the SMBIOS entry point parser in the
Linux kernel.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
---
 dmidecode.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/dmidecode.c
+++ b/dmidecode.c
@@ -5700,7 +5700,8 @@ static int smbios3_decode(u8 *buf, const
 		return 0;
 	}
 
-	if (!checksum(buf, buf[0x06]))
+	if (buf[0x06] < 0x18
+	 || !checksum(buf, buf[0x06]))
 		return 0;
 
 	ver = (buf[0x07] << 16) + (buf[0x08] << 8) + buf[0x09];
@@ -5747,7 +5748,12 @@ static int smbios_decode(u8 *buf, const
 		return 0;
 	}
 
-	if (!checksum(buf, buf[0x05])
+	/*
+	 * The size of this structure is 0x1F bytes, but we also accept value
+	 * 0x1E due to a mistake in SMBIOS specification version 2.1.
+	 */
+	if (buf[0x05] < 0x1E
+	 || !checksum(buf, buf[0x05])
 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
 	 || !checksum(buf + 0x10, 0x0F))
 		return 0;