Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Jul 2024 05:13:24 GMT
From:      Warner Losh <imp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 06326613afeb - main - smbios: Add length sanity checking
Message-ID:  <202407250513.46P5DOOG082491@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=06326613afebc645433c6bf8a2249cf978db9e71

commit 06326613afebc645433c6bf8a2249cf978db9e71
Author:     Warner Losh <imp@FreeBSD.org>
AuthorDate: 2024-07-25 05:02:27 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2024-07-25 05:09:57 +0000

    smbios: Add length sanity checking
    
    D28743 was commited, reverted and then f689cb23b2782 landed before it
    was recommitted. However, D28743 included an extra length check. Redo
    that functionality so we check both the number of entries as well as the
    length checks for wacky data.
    
    Sponsored by:           Netflix
    Reviewed by:            gallatin
    Differential Revision:  https://reviews.freebsd.org/D45763
---
 sys/dev/ipmi/ipmi_smbios.c | 4 ++--
 sys/dev/smbios/smbios.h    | 8 +++++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/sys/dev/ipmi/ipmi_smbios.c b/sys/dev/ipmi/ipmi_smbios.c
index 546db8f2677c..f9fc958d9739 100644
--- a/sys/dev/ipmi/ipmi_smbios.c
+++ b/sys/dev/ipmi/ipmi_smbios.c
@@ -192,8 +192,8 @@ ipmi_smbios_probe(struct ipmi_get_info *info)
 	/* Now map the actual table and walk it looking for an IPMI entry. */
 	table = pmap_mapbios(header->structure_table_address,
 	    header->structure_table_length);
-	smbios_walk_table(table, header->number_structures, smbios_ipmi_info,
-	    info);
+	smbios_walk_table(table, header->number_structures,
+	    header->structure_table_length, smbios_ipmi_info, info);
 
 	/* Unmap everything. */
 	pmap_unmapbios(table, header->structure_table_length);
diff --git a/sys/dev/smbios/smbios.h b/sys/dev/smbios/smbios.h
index 42b7e1181486..01e67556cfc0 100644
--- a/sys/dev/smbios/smbios.h
+++ b/sys/dev/smbios/smbios.h
@@ -80,11 +80,13 @@ struct smbios_structure_header {
 typedef void (*smbios_callback_t)(struct smbios_structure_header *, void *);
 
 static inline void
-smbios_walk_table(uint8_t *p, int entries, smbios_callback_t cb, void *arg)
+smbios_walk_table(uint8_t *p, int entries, vm_size_t len,
+    smbios_callback_t cb, void *arg)
 {
 	struct smbios_structure_header *s;
+	uint8_t *endp = p + len;
 
-	while (entries--) {
+	while (entries-- && p < endp) {
 		s = (struct smbios_structure_header *)p;
 		cb(s, arg);
 
@@ -93,7 +95,7 @@ smbios_walk_table(uint8_t *p, int entries, smbios_callback_t cb, void *arg)
 		 * formatted area of this structure.
 		 */
 		p += s->length;
-		while (!(p[0] == 0 && p[1] == 0))
+		while (p + 1 < endp && !(p[0] == 0 && p[1] == 0))
 			p++;
 
 		/*

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202407250513.46P5DOOG082491>