Date: Mon, 1 May 2023 21:28:52 GMT From: Warner Losh <imp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a5b4ec528192 - main - stand: More protection against malformed smbios tables Message-ID: <202305012128.341LSqiM085957@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=a5b4ec5281929a9b7ef4a8005bb4b0035322e922 commit a5b4ec5281929a9b7ef4a8005bb4b0035322e922 Author: Warner Losh <imp@FreeBSD.org> AuthorDate: 2023-05-01 21:12:41 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2023-05-01 21:12:41 +0000 stand: More protection against malformed smbios tables Add some more sanity checks to make sure we don't march off the end of the table. Typically, smbios structures are well formed, or Windows wouldn't boot. Sometimes they aren't, and this at least fails safe. Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D39794 --- stand/libsa/smbios.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/stand/libsa/smbios.c b/stand/libsa/smbios.c index a88d3ac4ab69..01083fdfd756 100644 --- a/stand/libsa/smbios.c +++ b/stand/libsa/smbios.c @@ -520,19 +520,23 @@ smbios_find_struct(int type) { caddr_t dmi; size_t i; + caddr_t ep; if (smbios.addr == NULL) return (NULL); + ep = smbios.addr + smbios.length; for (dmi = smbios.addr, i = 0; - dmi < smbios.addr + smbios.length && i < smbios.count; i++) { - if (SMBIOS_GET8(dmi, 0) == type) + dmi < ep && i < smbios.count; i++) { + if (SMBIOS_GET8(dmi, 0) == type) { return dmi; + } /* Find structure terminator. */ dmi = SMBIOS_GETSTR(dmi); - while (SMBIOS_GET16(dmi, 0) != 0) + while (SMBIOS_GET16(dmi, 0) != 0 && dmi < ep) { dmi++; - dmi += 2; + } + dmi += 2; /* For checksum */ } return (NULL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202305012128.341LSqiM085957>