dmicheck: fix incorrect boundary checks for various types
diff mbox series

Message ID 20180904204016.5038-1-alex.hung@canonical.com
State Accepted
Headers show
Series
  • dmicheck: fix incorrect boundary checks for various types
Related show

Commit Message

Alex Hung Sept. 4, 2018, 8:40 p.m. UTC
Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43.

Signed-off-by: Alex Hung <alex.hung@canonical.com>
---
 src/dmi/dmicheck/dmicheck.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

Comments

ivanhu Sept. 10, 2018, 3:39 a.m. UTC | #1
On 09/05/2018 04:40 AM, Alex Hung wrote:
> Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43.
>
> Signed-off-by: Alex Hung <alex.hung@canonical.com>
> ---
>  src/dmi/dmicheck/dmicheck.c | 18 +++++++++++-------
>  1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
> index 8497c2ab..97305eca 100644
> --- a/src/dmi/dmicheck/dmicheck.c
> +++ b/src/dmi/dmicheck/dmicheck.c
> @@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw,
>  			dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18);
>  			dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19);
>  			dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a);
> -			if (hdr->length < 0x20)
> +			if (hdr->length < 0x1c)
>  				break;
>  			dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7);
> +			if (hdr->length < 0x20)
> +				break;
>  			dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31);
> -			if (hdr->length < 0x28)
> +			if (hdr->length < 0x3c)
>  				break;
>  			dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7);
>  			dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15);
> @@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 26: /* 7.27 */
>  			table = "Voltage Probe (Type 26)";
> -			if (hdr->length < 0x14)
> +			if (hdr->length < 0x16)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
>  			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
> @@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 27: /* 7.28 */
>  			table = "Cooling Device (Type 27)";
> -			if (hdr->length < 0xc)
> +			if (hdr->length < 0xe)
>  				break;
>  			val = data[0x06] & 0x1f;
>  			if (!(((val >= 0x01) && (val <= 0x09)) ||
> @@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 28: /* 7.29 */
>  			table = "Temperature Probe (Type 28)";
> -			if (hdr->length < 0x14)
> +			if (hdr->length < 0x16)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
>  			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f);
> @@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 29: /* 7.30 */
>  			table = "Electrical Current Probe (Type 29)";
> -			if (hdr->length < 0x14)
> +			if (hdr->length < 0x16)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
>  			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
> @@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 38: /* 7.39 */
>  			table = "IPMI Device Information (Type 38)";
> +			if (hdr->length < 0x12)
> +				break;
>  			dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4);
>  
>  			dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2);
> @@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 43: /* 7.44 */
>  			table = "TPM Device (Type 43)";
> -			if (hdr->length < 0x16)
> +			if (hdr->length < 0x1b)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x12);
>  			dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63);
Acked-by: Ivan Hu <ivan.hu@canonical.com>
Colin King Sept. 10, 2018, 1:05 p.m. UTC | #2
On 04/09/18 21:40, Alex Hung wrote:
> Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43.
> 
> Signed-off-by: Alex Hung <alex.hung@canonical.com>
> ---
>  src/dmi/dmicheck/dmicheck.c | 18 +++++++++++-------
>  1 file changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
> index 8497c2ab..97305eca 100644
> --- a/src/dmi/dmicheck/dmicheck.c
> +++ b/src/dmi/dmicheck/dmicheck.c
> @@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw,
>  			dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18);
>  			dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19);
>  			dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a);
> -			if (hdr->length < 0x20)
> +			if (hdr->length < 0x1c)
>  				break;
>  			dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7);
> +			if (hdr->length < 0x20)
> +				break;
>  			dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31);
> -			if (hdr->length < 0x28)
> +			if (hdr->length < 0x3c)
>  				break;
>  			dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7);
>  			dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15);
> @@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 26: /* 7.27 */
>  			table = "Voltage Probe (Type 26)";
> -			if (hdr->length < 0x14)
> +			if (hdr->length < 0x16)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
>  			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
> @@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 27: /* 7.28 */
>  			table = "Cooling Device (Type 27)";
> -			if (hdr->length < 0xc)
> +			if (hdr->length < 0xe)
>  				break;
>  			val = data[0x06] & 0x1f;
>  			if (!(((val >= 0x01) && (val <= 0x09)) ||
> @@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 28: /* 7.29 */
>  			table = "Temperature Probe (Type 28)";
> -			if (hdr->length < 0x14)
> +			if (hdr->length < 0x16)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
>  			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f);
> @@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 29: /* 7.30 */
>  			table = "Electrical Current Probe (Type 29)";
> -			if (hdr->length < 0x14)
> +			if (hdr->length < 0x16)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
>  			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
> @@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 38: /* 7.39 */
>  			table = "IPMI Device Information (Type 38)";
> +			if (hdr->length < 0x12)
> +				break;
>  			dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4);
>  
>  			dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2);
> @@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw,
>  
>  		case 43: /* 7.44 */
>  			table = "TPM Device (Type 43)";
> -			if (hdr->length < 0x16)
> +			if (hdr->length < 0x1b)
>  				break;
>  			dmi_str_check(fw, table, addr, "Description", hdr, 0x12);
>  			dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63);
> 
Good catches!

Acked-by: Colin Ian King <colin.king@canonical.com>

Patch
diff mbox series

diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
index 8497c2ab..97305eca 100644
--- a/src/dmi/dmicheck/dmicheck.c
+++ b/src/dmi/dmicheck/dmicheck.c
@@ -1475,11 +1475,13 @@  static void dmicheck_entry(fwts_framework *fw,
 			dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18);
 			dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19);
 			dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a);
-			if (hdr->length < 0x20)
+			if (hdr->length < 0x1c)
 				break;
 			dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7);
+			if (hdr->length < 0x20)
+				break;
 			dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31);
-			if (hdr->length < 0x28)
+			if (hdr->length < 0x3c)
 				break;
 			dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7);
 			dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15);
@@ -1614,7 +1616,7 @@  static void dmicheck_entry(fwts_framework *fw,
 
 		case 26: /* 7.27 */
 			table = "Voltage Probe (Type 26)";
-			if (hdr->length < 0x14)
+			if (hdr->length < 0x16)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
 			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
@@ -1623,7 +1625,7 @@  static void dmicheck_entry(fwts_framework *fw,
 
 		case 27: /* 7.28 */
 			table = "Cooling Device (Type 27)";
-			if (hdr->length < 0xc)
+			if (hdr->length < 0xe)
 				break;
 			val = data[0x06] & 0x1f;
 			if (!(((val >= 0x01) && (val <= 0x09)) ||
@@ -1643,7 +1645,7 @@  static void dmicheck_entry(fwts_framework *fw,
 
 		case 28: /* 7.29 */
 			table = "Temperature Probe (Type 28)";
-			if (hdr->length < 0x14)
+			if (hdr->length < 0x16)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
 			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f);
@@ -1652,7 +1654,7 @@  static void dmicheck_entry(fwts_framework *fw,
 
 		case 29: /* 7.30 */
 			table = "Electrical Current Probe (Type 29)";
-			if (hdr->length < 0x14)
+			if (hdr->length < 0x16)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
 			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
@@ -1732,6 +1734,8 @@  static void dmicheck_entry(fwts_framework *fw,
 
 		case 38: /* 7.39 */
 			table = "IPMI Device Information (Type 38)";
+			if (hdr->length < 0x12)
+				break;
 			dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4);
 
 			dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2);
@@ -1782,7 +1786,7 @@  static void dmicheck_entry(fwts_framework *fw,
 
 		case 43: /* 7.44 */
 			table = "TPM Device (Type 43)";
-			if (hdr->length < 0x16)
+			if (hdr->length < 0x1b)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x12);
 			dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63);