From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001

From: Jean Delvare <jdelvare@suse.de>

Date: Wed, 1 Aug 2018 09:54:45 +0200

Subject: [PATCH 19/21] dmidecode: Avoid OOB read on invalid entry point length

Don't let the entry point checksum verification run beyond the end of

the buffer holding it (32 bytes).

This bug was discovered by Lionel Debroux using the AFL fuzzer and

AddressSanitizer.

Signed-off-by: Jean Delvare <jdelvare@suse.de>

---

 dmidecode.c | 18 ++++++++++++++++++

 1 file changed, 18 insertions(+)

diff --git a/dmidecode.c b/dmidecode.c

index fa6ecf1..474ca7b 100644

--- a/dmidecode.c

+++ b/dmidecode.c

@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)

 	u32 ver;

 	u64 offset;

+	/* Don't let checksum run beyond the buffer */

+	if (buf[0x06] > 0x20)

+	{

+		fprintf(stderr,

+			"Entry point length too large (%u bytes, expected %u).\n",

+			(unsigned int)buf[0x06], 0x18U);

+		return 0;

+	}

+

 	if (!checksum(buf, buf[0x06]))

 		return 0;

@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)

 {

 	u16 ver;

+	/* Don't let checksum run beyond the buffer */

+	if (buf[0x05] > 0x20)

+	{

+		fprintf(stderr,

+			"Entry point length too large (%u bytes, expected %u).\n",

+			(unsigned int)buf[0x05], 0x1FU);

+		return 0;

+	}

+

 	if (!checksum(buf, buf[0x05])

 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0

 	 || !checksum(buf + 0x10, 0x0F))

-- 

2.17.1