From patchwork Tue May 15 18:03:56 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Colin Ian King <colin.king@canonical.com>
X-Patchwork-Id: 159405
Return-Path: <fwts-devel-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id F1062B6FC8
	for <incoming@patchwork.ozlabs.org>;
	Wed, 16 May 2012 04:04:01 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <fwts-devel-bounces@lists.ubuntu.com>)
	id 1SUM6I-0001uS-T8
	for incoming@patchwork.ozlabs.org; Tue, 15 May 2012 18:03:58 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <colin.king@canonical.com>) id 1SUM6H-0001uK-65
	for fwts-devel@lists.ubuntu.com; Tue, 15 May 2012 18:03:57 +0000
Received: from cpc19-craw6-2-0-cust5.croy.cable.virginmedia.com
	([77.102.228.6] helo=localhost)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71)
	(envelope-from <colin.king@canonical.com>) id 1SUM6H-0005A6-30
	for fwts-devel@lists.ubuntu.com; Tue, 15 May 2012 18:03:57 +0000
From: Colin King <colin.king@canonical.com>
To: fwts-devel@lists.ubuntu.com
Subject: [PATCH] pci: aspm: fix memory read outside buffer
Date: Tue, 15 May 2012 19:03:56 +0100
Message-Id: <1337105036-529-1-git-send-email-colin.king@canonical.com>
X-Mailer: git-send-email 1.7.9.5
X-BeenThere: fwts-devel@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Firmware Test Suite Development <fwts-devel.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/fwts-devel>
List-Post: <mailto:fwts-devel@lists.ubuntu.com>
List-Help: <mailto:fwts-devel-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: fwts-devel-bounces@lists.ubuntu.com
Errors-To: fwts-devel-bounces@lists.ubuntu.com

From: Colin Ian King <colin.king@canonical.com>

valgrind picked up the following bug:

==32563== Invalid read of size 1
==32563==    at 0x41DB6C: pcie_check_aspm_registers (aspm.c:247)
==32563==    by 0x534131C: fwts_framework_args (fwts_framework.c:608)
==32563==    by 0x403C68: main (main.c:27)
==32563==  Address 0x62e9ba3 is 2 bytes after a block of size 1 alloc'd
==32563==    at 0x4C29DB4: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32563==    by 0x5346F20: fwts_list_from_text (fwts_text_list.c:109)
==32563==    by 0x5345E94: fwts_pipe_exec (fwts_pipeio.c:149)
==32563==    by 0x41DB38: pcie_check_aspm_registers (aspm.c:236)
==32563==    by 0x534131C: fwts_framework_args (fwts_framework.c:608)
==32563==    by 0x403C68: main (main.c:27)

this occurs when parsing the output from lspci - the code is reading outside the
returned string and we need to check for short strings before parsing the line.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Alex Hung <alex.hung@canonical.com>
Acked-by: Keng-Yu Lin <kengyu@canonical.com>
Acked-by: Ivan Hu<ivan.hu@canonical.com>
---
 src/pci/aspm/aspm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pci/aspm/aspm.c b/src/pci/aspm/aspm.c
index c3c1c71..c461ce8 100644
--- a/src/pci/aspm/aspm.c
+++ b/src/pci/aspm/aspm.c
@@ -244,7 +244,7 @@ int pcie_check_aspm_registers(fwts_framework *fw,
 			char *line = fwts_text_list_text(item);
 			char *pEnd;
 
-			if (line[3] == ' ') {
+			if (strlen(line) >= 3 && line[3] == ' ') {
 				reg_val = strtol(line, &pEnd, 16);
 				for (i = 0; reg_loc < 256 && i < 16; i++) {
 					reg_val = strtol(pEnd + 1, &pEnd, 16);