| Message ID | 20210114004116.353679-1-alex.hung@canonical.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | acpi: pmtt: fix infinite loops when length is incorrectly zero | expand |
On 14/01/2021 00:41, Alex Hung wrote: > Signed-off-by: Alex Hung <alex.hung@canonical.com> > --- > src/acpi/pmtt/pmtt.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/src/acpi/pmtt/pmtt.c b/src/acpi/pmtt/pmtt.c > index 99fd510d..def44a51 100644 > --- a/src/acpi/pmtt/pmtt.c > +++ b/src/acpi/pmtt/pmtt.c > @@ -104,6 +104,14 @@ static void pmtt_controller_test(fwts_framework *fw, fwts_acpi_table_pmtt_contro > offset += sizeof(fwts_acpi_table_pmtt_domain) * entry->domain_count; > header = (fwts_acpi_table_pmtt_header *) (((char *) entry) + offset); > while (offset < entry->header.length) { > + ^ can the empty line above be removed > + if (header->length == 0) { > + fwts_failed(fw, LOG_LEVEL_CRITICAL, > + "PMTTBadSubtableLength", > + "PMTT Controller has a subtable with zero length"); > + break; > + } > + > if (header->type == FWTS_ACPI_PMTT_TYPE_DIMM) { > pmtt_physical_component_test(fw, (fwts_acpi_table_pmtt_physical_component *) header, passed); > } else { > @@ -132,7 +140,16 @@ static void pmtt_socket_test(fwts_framework *fw, fwts_acpi_table_pmtt_socket *en > > offset = sizeof(fwts_acpi_table_pmtt_socket); > header = (fwts_acpi_table_pmtt_header *) (((char *) entry) + offset); > + > while (offset < entry->header.length) { > + ^ and remove this one too. > + if (header->length == 0) { > + fwts_failed(fw, LOG_LEVEL_CRITICAL, > + "PMTTBadSubtableLength", > + "PMTT Socket has a subtable with zero length"); > + break; > + } > + > if (header->type == FWTS_ACPI_PMTT_TYPE_CONTROLLER) { > pmtt_controller_test(fw, (fwts_acpi_table_pmtt_controller *) header, passed); > } else { > Thanks
diff --git a/src/acpi/pmtt/pmtt.c b/src/acpi/pmtt/pmtt.c index 99fd510d..def44a51 100644 --- a/src/acpi/pmtt/pmtt.c +++ b/src/acpi/pmtt/pmtt.c @@ -104,6 +104,14 @@ static void pmtt_controller_test(fwts_framework *fw, fwts_acpi_table_pmtt_contro offset += sizeof(fwts_acpi_table_pmtt_domain) * entry->domain_count; header = (fwts_acpi_table_pmtt_header *) (((char *) entry) + offset); while (offset < entry->header.length) { + + if (header->length == 0) { + fwts_failed(fw, LOG_LEVEL_CRITICAL, + "PMTTBadSubtableLength", + "PMTT Controller has a subtable with zero length"); + break; + } + if (header->type == FWTS_ACPI_PMTT_TYPE_DIMM) { pmtt_physical_component_test(fw, (fwts_acpi_table_pmtt_physical_component *) header, passed); } else { @@ -132,7 +140,16 @@ static void pmtt_socket_test(fwts_framework *fw, fwts_acpi_table_pmtt_socket *en offset = sizeof(fwts_acpi_table_pmtt_socket); header = (fwts_acpi_table_pmtt_header *) (((char *) entry) + offset); + while (offset < entry->header.length) { + + if (header->length == 0) { + fwts_failed(fw, LOG_LEVEL_CRITICAL, + "PMTTBadSubtableLength", + "PMTT Socket has a subtable with zero length"); + break; + } + if (header->type == FWTS_ACPI_PMTT_TYPE_CONTROLLER) { pmtt_controller_test(fw, (fwts_acpi_table_pmtt_controller *) header, passed); } else {
Signed-off-by: Alex Hung <alex.hung@canonical.com> --- src/acpi/pmtt/pmtt.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)