From patchwork Tue Feb 23 20:37:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 1443620 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256 header.s=badeba3b8450 header.b=ePOBJZOF; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DlW8Y0XJdz9sVF for ; Wed, 24 Feb 2021 07:37:58 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A00E782A4E; Tue, 23 Feb 2021 21:37:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="ePOBJZOF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7D52582A5E; Tue, 23 Feb 2021 21:37:48 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9011F82A4C for ; Tue, 23 Feb 2021 21:37:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmx.de Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=xypron.glpk@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1614112663; bh=EsXQKwg8js+G+g2H79V5uurf71u7foYunQ2vSGRfAMI=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=ePOBJZOFaKZrY/uSs7ipc/Xq4J9S5Pp1NROls7iizLibGa37G22NOIId9q1aOrkzS Hk4Q2rC4MeJoIC82zgNOpyPVwNgIy9a9dUnzhzDjcsRmwS8HU15hxKVynqMTisdDbl +9OrZP6hrJ+LQmNBMCafa9u3LH41khS1RDyuSE5g= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from LT02.fritz.box ([62.143.246.89]) by mail.gmx.net (mrgmx004 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MrQIv-1lZwAK1ARD-00oXsP; Tue, 23 Feb 2021 21:37:43 +0100 From: Heinrich Schuchardt To: Alexander Graf Cc: u-boot@lists.denx.de, Heinrich Schuchardt Subject: [PATCH 1/1] efi_loader: limit output length for VenHw, VenMedia Date: Tue, 23 Feb 2021 21:37:39 +0100 Message-Id: <20210223203739.43310-1-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:U4Yh05U/XN8o0b5zhGYa+5yC/9rUbOV0PmxxUoet8gbpUveEiFm IY1C5o49X+rB/AupBUnBS/K7j0WcF2HvlYus5TTWoQ8MIdP4Ka6NdZGOYvcc/ABjB2LFibd hN0j1vMPxOInbiGe/YMnjN4nCKkDZLoOZs78uWSwn8s32AfcFal5y2M61qbSlnXSi7Yo5Gv m0Cpa3vEyxFbUF8w7hxnw== X-UI-Out-Filterresults: notjunk:1;V03:K0:q+N4669PvW0=:tRVoHPuXunyFiK1zvpioYE 9b9gBlAaCpedXLgXH6Uy5Eo07AckzNBXG3IBBin+ZoU2KFDBziTbYPKbwp3z38bVurcxMXlnM ghlxNxNXTUeVBDu+mxx/5j54mDGKLEbRW4J+RiWURB2/u2h+yN0GO502h5xc6SWq4VurKHDOQ 6SYaYXaAA/MRsFOrTndaKzHIAdGDGxYH9MlQ+zxdjEy0RLThBacL3Z+TdxYIZL13PoOCttJpC zt5k1g0dMKrLcI8RFPn7fZenh3rotDLGpxqwIM84P6z8FDLFtYd5fbDkoNqKWgNyi0z2MaHRf woPZee8D7IK0Nl43yWL5P3woLmx3qGHH6ENw+nR1oDNF6yPZDdlc6OpPbetq8VrZKBk/E6AQk PMmbyBRoNAaqnvzq8x+NpIp8KAkjkDV0YzZeqKL0AduMoJy9EVbIeLVrG6r/uRf3/dVmmO46b b6Wl62vEVKeQKDu7xHi0CsfCmc/XGypD1F9abJiusDOCbwvpUWrHqkfgBIXWiNIzmSK5BIau4 Q1DWzmbnEhHqzgmbAFYMrqNwv3AcsPKLnHAkHsdmvef6mQiyKBtsA5DCbZfzBLJzMuqyxoaW7 G0xa7+wPDAU4uHgF7+2Zg0JsQX+Y9R0NZaMRsducMyvOPmHt+m3zMVT5F3hV4kNhG2CPBKDyy SP+MpqbI3R03tEORhHbgHn2YqZbDCWL+fu3SR/Iqs/vnIjip0N/oyYNb8XkOi4j0TRZTpZ6JM CETAsO3XPHqvc/HJl4hsouOEaPThdqEsLtj14HIul+uwW4xSE0WEDTGX7DdnzWg+Zp5Qq+sRA Vl6NkmC0eY8z8B2TR3zq9s9UILuiak5fCsp8kAdYGPASnfQB5kQS7Me+oD0k7VSDdwnE1nkyt 9mjlr0sFKLYRdyzEYAKA== X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean VenHw and VenMedia device path nodes may carry vendor defined data of arbitrary length. When converting a device path node to text ensure that we do not overrun our internal buffer. In our implementation of EFI_DEVICE_PATH_TO_TEXT_PROTOCOL.ConvertDevicePathToText() we could first determine the output length and then allocate buffers but that would nearly double the code size. Therefore keep the preallocated buffers and truncate excessive device paths instead. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_device_path_to_text.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.30.0 diff --git a/lib/efi_loader/efi_device_path_to_text.c b/lib/efi_loader/efi_device_path_to_text.c index 81b8ac23ba..ba1ad33459 100644 --- a/lib/efi_loader/efi_device_path_to_text.c +++ b/lib/efi_loader/efi_device_path_to_text.c @@ -67,7 +67,8 @@ static char *dp_hardware(char *s, struct efi_device_path *dp) s += sprintf(s, "VenHw(%pUl", &vdp->guid); n = (int)vdp->dp.length - sizeof(struct efi_device_path_vendor); - if (n > 0) { + /* Node must fit into MAX_NODE_LEN) */ + if (n > 0 && n < MAX_NODE_LEN / 2 - 22) { s += sprintf(s, ","); for (i = 0; i < n; ++i) s += sprintf(s, "%02x", vdp->vendor_data[i]); @@ -251,7 +252,8 @@ static char *dp_media(char *s, struct efi_device_path *dp) s += sprintf(s, "VenMedia(%pUl", &vdp->guid); n = (int)vdp->dp.length - sizeof(struct efi_device_path_vendor); - if (n > 0) { + /* Node must fit into MAX_NODE_LEN) */ + if (n > 0 && n < MAX_NODE_LEN / 2 - 24) { s += sprintf(s, ","); for (i = 0; i < n; ++i) s += sprintf(s, "%02x", vdp->vendor_data[i]);