diff options
author | Jean Delvare <jdelvare@suse.de> | 2022-12-16 10:36:55 +0100 |
---|---|---|
committer | Jean Delvare <jdelvare@suse.de> | 2022-12-16 10:36:55 +0100 |
commit | 67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9 (patch) | |
tree | f2212f5827915383594e522cf6c608be54a1b223 | |
parent | f8016734735486c99eacc1bca975913535905c1f (diff) | |
download | dmidecode-git-67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9.tar.gz |
dmidecode: Fortify entry point length checks
Ensure that the SMBIOS entry point is long enough to include all the
fields we need. Otherwise it is pointless to even attempt to verify
its checksum.
A similar check was added to the SMBIOS entry point parser in the
Linux kernel.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
-rw-r--r-- | dmidecode.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/dmidecode.c b/dmidecode.c index 9aeff91..4ce56e5 100644 --- a/dmidecode.c +++ b/dmidecode.c @@ -5700,7 +5700,8 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) return 0; } - if (!checksum(buf, buf[0x06])) + if (buf[0x06] < 0x18 + || !checksum(buf, buf[0x06])) return 0; ver = (buf[0x07] << 16) + (buf[0x08] << 8) + buf[0x09]; @@ -5747,7 +5748,12 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) return 0; } - if (!checksum(buf, buf[0x05]) + /* + * The size of this structure is 0x1F bytes, but we also accept value + * 0x1E due to a mistake in SMBIOS specification version 2.1. + */ + if (buf[0x05] < 0x1E + || !checksum(buf, buf[0x05]) || memcmp(buf + 0x10, "_DMI_", 5) != 0 || !checksum(buf + 0x10, 0x0F)) return 0; |