[12/17] cbfs: Check offset range when reading a file

Message ID	20210508220021.1778080-13-sjg@chromium.org
State	Changes Requested
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Simon Glass <sjg@chromium.org> To: U-Boot Mailing List <u-boot@lists.denx.de> Cc: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>, Bin Meng <bmeng.cn@gmail.com>, Stefan Reinauer <reinauer@chromium.org> Subject: [PATCH 12/17] cbfs: Check offset range when reading a file Date: Sat, 8 May 2021 16:00:16 -0600 Message-Id: <20210508220021.1778080-13-sjg@chromium.org> In-Reply-To: <20210508220021.1778080-1-sjg@chromium.org> References: <20210508220021.1778080-1-sjg@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Fix various coverity warnings \| expand [00/17] Fix various coverity warnings [01/17] sandbox: net: Ensure host name is always a valid string [02/17] video: Check return value in pwm_backlight_of_to_plat() [03/17] sandbox: Indicate NULL-pointer access in 'sigsegv' command [04/17] test: Rename final check in setexpr_test_backref() [05/17] tools: Avoid showing return value of clock_gettime() [06/17] reset: Avoid a warning in devm_reset_bulk_get_by_node() [07/17] reset: Avoid a warning in devm_regmap_init() [08/17] test: Avoid random numbers in dm_test_devm_regmap() [09/17] dm: core: Check uclass_get() return value when dumping [10/17] sandbox: scmi: Indicate dead code for coverity [11/17] sandbox: cros_ec: Update error handling when reading matrix [12/17] cbfs: Check offset range when reading a file [13/17] pinctrl: Avoid coverity warning when checking width [14/17] tpm: Check outgoing command size [15/17] sandbox: Silence coverity warning in state_read_file() [16/17] clk: Detect failure to set defaults [17/17] RFC: clk: Return error code from clk_set_default_get_by_id()

Message ID

20210508220021.1778080-13-sjg@chromium.org

State

Changes Requested

Delegated to:

Tom Rini

Headers

From: Simon Glass <sjg@chromium.org>
To: U-Boot Mailing List <u-boot@lists.denx.de>
Cc: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
 Bin Meng <bmeng.cn@gmail.com>, Stefan Reinauer <reinauer@chromium.org>
Subject: [PATCH 12/17] cbfs: Check offset range when reading a file
Date: Sat,  8 May 2021 16:00:16 -0600
Message-Id: <20210508220021.1778080-13-sjg@chromium.org>
In-Reply-To: <20210508220021.1778080-1-sjg@chromium.org>
References: <20210508220021.1778080-1-sjg@chromium.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

Fix various coverity warnings | expand

Commit Message

Simon Glass May 8, 2021, 10 p.m. UTC

Add a check that the offset is within the allowed range.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Coverity (CID: 331155)
---

 fs/cbfs/cbfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/cbfs/cbfs.c b/fs/cbfs/cbfs.c
index 415ea28b871..3e905c74e58 100644
--- a/fs/cbfs/cbfs.c
+++ b/fs/cbfs/cbfs.c
@@ -167,6 +167,8 @@  static int file_cbfs_next_file(struct cbfs_priv *priv, void *start, int size,
 		}
 
 		swap_file_header(&header, file_header);
+		if (header.offset >= size)
+			return log_msg_ret("range", -E2BIG);
 		ret = fill_node(node, start, &header);
 		if (ret) {
 			priv->result = CBFS_BAD_FILE;

[12/17] cbfs: Check offset range when reading a file

Commit Message

Patch