|
 |
ac385c |
From e9ce922ddf2ec6c1095f42ee9857f369084761c3 Mon Sep 17 00:00:00 2001
|
|
|
ac385c |
From: Peter Jones <pjones@redhat.com>
|
|
|
ac385c |
Date: Tue, 9 May 2017 15:34:08 -0400
|
|
|
ac385c |
Subject: [PATCH 23/24] efi_loadopt_create(): avoid NULL dereference
|
|
|
ac385c |
|
|
|
ac385c |
covscan rightly points out that dp is allowed to be NULL (and so is
|
|
|
ac385c |
buf), so we can't pass those in to memcpy() in those cases.
|
|
|
ac385c |
|
|
|
ac385c |
So don't.
|
|
|
ac385c |
|
|
|
ac385c |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
ac385c |
---
|
|
|
ac385c |
src/loadopt.c | 46 +++++++++++++++++++++++++++-------------------
|
|
|
ac385c |
1 file changed, 27 insertions(+), 19 deletions(-)
|
|
|
ac385c |
|
|
|
ac385c |
diff --git a/src/loadopt.c b/src/loadopt.c
|
|
|
ac385c |
index 5301f3d..cf0886d 100644
|
|
|
ac385c |
--- a/src/loadopt.c
|
|
|
ac385c |
+++ b/src/loadopt.c
|
|
|
ac385c |
@@ -56,36 +56,44 @@ efi_loadopt_create(uint8_t *buf, ssize_t size, uint32_t attributes,
|
|
|
ac385c |
}
|
|
|
ac385c |
|
|
|
ac385c |
if (!buf) {
|
|
|
ac385c |
+invalid:
|
|
|
ac385c |
errno = EINVAL;
|
|
|
ac385c |
return -1;
|
|
|
ac385c |
}
|
|
|
ac385c |
|
|
|
ac385c |
- if (!optional_data && optional_data_size != 0) {
|
|
|
ac385c |
- errno = EINVAL;
|
|
|
ac385c |
- return -1;
|
|
|
ac385c |
- }
|
|
|
ac385c |
+ if (!optional_data && optional_data_size != 0)
|
|
|
ac385c |
+ goto invalid;
|
|
|
ac385c |
|
|
|
ac385c |
- if (!dp && dp_size == 0) {
|
|
|
ac385c |
- errno = EINVAL;
|
|
|
ac385c |
- return -1;
|
|
|
ac385c |
- }
|
|
|
ac385c |
+ if ((!dp && dp_size == 0) || dp_size < 0)
|
|
|
ac385c |
+ goto invalid;
|
|
|
ac385c |
+
|
|
|
ac385c |
+ if (dp) {
|
|
|
ac385c |
+ if (!efidp_is_valid(dp, dp_size))
|
|
|
ac385c |
+ goto invalid;
|
|
|
ac385c |
|
|
|
ac385c |
- uint8_t *pos = buf;
|
|
|
ac385c |
+ if (efidp_size(dp) != dp_size)
|
|
|
ac385c |
+ goto invalid;
|
|
|
ac385c |
+ }
|
|
|
ac385c |
|
|
|
ac385c |
- *(uint32_t *)pos = attributes;
|
|
|
ac385c |
- pos += sizeof (attributes);
|
|
|
ac385c |
+ if (buf) {
|
|
|
ac385c |
+ uint8_t *pos = buf;
|
|
|
ac385c |
+ *(uint32_t *)pos = attributes;
|
|
|
ac385c |
+ pos += sizeof (attributes);
|
|
|
ac385c |
|
|
|
ac385c |
- *(uint16_t *)pos = dp_size;
|
|
|
ac385c |
- pos += sizeof (uint16_t);
|
|
|
ac385c |
+ *(uint16_t *)pos = dp_size;
|
|
|
ac385c |
+ pos += sizeof (uint16_t);
|
|
|
ac385c |
|
|
|
ac385c |
- utf8_to_ucs2((uint16_t *)pos, desc_len, 1, (uint8_t *)description);
|
|
|
ac385c |
- pos += desc_len;
|
|
|
ac385c |
+ utf8_to_ucs2((uint16_t *)pos, desc_len, 1,
|
|
|
ac385c |
+ (uint8_t *)description);
|
|
|
ac385c |
+ pos += desc_len;
|
|
|
ac385c |
|
|
|
ac385c |
- memcpy(pos, dp, dp_size);
|
|
|
ac385c |
- pos += dp_size;
|
|
|
ac385c |
+ if (dp)
|
|
|
ac385c |
+ memcpy(pos, dp, dp_size);
|
|
|
ac385c |
+ pos += dp_size;
|
|
|
ac385c |
|
|
|
ac385c |
- if (optional_data && optional_data_size > 0)
|
|
|
ac385c |
- memcpy(pos, optional_data, optional_data_size);
|
|
|
ac385c |
+ if (optional_data && optional_data_size > 0)
|
|
|
ac385c |
+ memcpy(pos, optional_data, optional_data_size);
|
|
|
ac385c |
+ }
|
|
|
ac385c |
|
|
|
ac385c |
return sz;
|
|
|
ac385c |
}
|
|
|
ac385c |
--
|
|
|
ac385c |
2.12.2
|
|
|
ac385c |
|