[PATCH] uefi: uefidump: add some guarding on allocation size

Colin King colin.king at canonical.com
Thu Nov 9 12:35:10 UTC 2017 

From: Colin Ian King <colin.king at canonical.com>

Static analysis with CoverityScan is warning about a possible allocation
of an untrusted size calculated from u->dev_path.length.  Add some extra
checking on this.  This does not remove the warning but I'm sure it's as
good as we can to check untrusted data warnings from CoverityScan.
Also remove a whitespace.

Signed-off-by: Colin Ian King <colin.king at canonical.com>
---
 src/uefi/uefidump/uefidump.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/uefi/uefidump/uefidump.c b/src/uefi/uefidump/uefidump.c
index f73ed6e1..55ce7f23 100644
--- a/src/uefi/uefidump/uefidump.c
+++ b/src/uefi/uefidump/uefidump.c
@@ -434,18 +434,21 @@ static char *uefidump_build_dev_path(char *path, fwts_uefi_dev_path *dev_path, c
 				uint16_t len = u->dev_path.length[0] | (((uint16_t)u->dev_path.length[1]) << 8);
 				path = uefidump_vprintf(path, "\\USBWWID(0x%" PRIx16 ",0x%" PRIx16 ",0x%" PRIx16,
 					u->interface_num, u->vendor_id, u->product_id);
+				ssize_t sz;
 
 				/* Adding Serial Number */
-
 				if (len <= sizeof(fwts_uefi_usb_wwid_dev_path)) {
 					path = uefidump_vprintf(path, ")");
 					break;
 				}
-				tmp = malloc((len - sizeof(fwts_uefi_usb_wwid_dev_path))/sizeof(uint16_t) + 1);
-				if (tmp) {	
-					fwts_uefi_str16_to_str(tmp, (len - sizeof(fwts_uefi_usb_wwid_dev_path))/sizeof(uint16_t) + 1, u->serial_number);
-					path = uefidump_vprintf(path, ",%s", tmp);
-					free(tmp);
+				sz = ((ssize_t)len - sizeof(fwts_uefi_usb_wwid_dev_path)) / sizeof(uint16_t) + 1;
+				if ((sz > 0) && (sz <= 0xffff)) {
+					tmp = malloc(sz);
+					if (tmp) {
+						fwts_uefi_str16_to_str(tmp, sz, u->serial_number);
+						path = uefidump_vprintf(path, ",%s", tmp);
+						free(tmp);
+					}
 				}
 				path = uefidump_vprintf(path, ")");
 			}
@@ -1271,7 +1274,7 @@ static void uefidump_info_signaturedatabase(fwts_framework *fw, fwts_uefi_var *v
 		return;
 
 	do {
-		fwts_uefi_signature_list *signature_list = 
+		fwts_uefi_signature_list *signature_list =
 			(fwts_uefi_signature_list *)(var->data + list_start);
 		const char *str = "Unknown GUID";
 		size_t offset = 0;
-- 
2.14.1

More information about the fwts-devel mailing list