[PATCH] dmicheck: fix incorrect boundary checks for various types

Alex Hung alex.hung at canonical.com
Tue Sep 4 20:40:16 UTC 2018 

Fixes include boundary checks for type 17, 26, 27, 28, 29, 38 and 43.

Signed-off-by: Alex Hung <alex.hung at canonical.com>
---
 src/dmi/dmicheck/dmicheck.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/dmi/dmicheck/dmicheck.c b/src/dmi/dmicheck/dmicheck.c
index 8497c2ab..97305eca 100644
--- a/src/dmi/dmicheck/dmicheck.c
+++ b/src/dmi/dmicheck/dmicheck.c
@@ -1475,11 +1475,13 @@ static void dmicheck_entry(fwts_framework *fw,
 			dmi_str_check(fw, table, addr, "Serial Number", hdr, 0x18);
 			dmi_str_check(fw, table, addr, "Asset Tag", hdr, 0x19);
 			dmi_str_check(fw, table, addr, "Part Number", hdr, 0x1a);
-			if (hdr->length < 0x20)
+			if (hdr->length < 0x1c)
 				break;
 			dmi_reserved_bits_check(fw, table, addr, "Attributes", hdr, sizeof(uint8_t), 0x1b, 4, 7);
+			if (hdr->length < 0x20)
+				break;
 			dmi_reserved_bits_check(fw, table, addr, "Extended Size", hdr, sizeof(uint32_t), 0x1c, 31, 31);
-			if (hdr->length < 0x28)
+			if (hdr->length < 0x3c)
 				break;
 			dmi_min_max_uint8_check(fw, table, addr, "Memory Technology", hdr, 0x28, 0x1, 0x7);
 			dmi_reserved_bits_check(fw, table, addr, "Memory Operating Mode Cap", hdr, sizeof(uint16_t), 0x29, 6, 15);
@@ -1614,7 +1616,7 @@ static void dmicheck_entry(fwts_framework *fw,
 
 		case 26: /* 7.27 */
 			table = "Voltage Probe (Type 26)";
-			if (hdr->length < 0x14)
+			if (hdr->length < 0x16)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
 			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
@@ -1623,7 +1625,7 @@ static void dmicheck_entry(fwts_framework *fw,
 
 		case 27: /* 7.28 */
 			table = "Cooling Device (Type 27)";
-			if (hdr->length < 0xc)
+			if (hdr->length < 0xe)
 				break;
 			val = data[0x06] & 0x1f;
 			if (!(((val >= 0x01) && (val <= 0x09)) ||
@@ -1643,7 +1645,7 @@ static void dmicheck_entry(fwts_framework *fw,
 
 		case 28: /* 7.29 */
 			table = "Temperature Probe (Type 28)";
-			if (hdr->length < 0x14)
+			if (hdr->length < 0x16)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
 			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xf, 0, 0x1f);
@@ -1652,7 +1654,7 @@ static void dmicheck_entry(fwts_framework *fw,
 
 		case 29: /* 7.30 */
 			table = "Electrical Current Probe (Type 29)";
-			if (hdr->length < 0x14)
+			if (hdr->length < 0x16)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x4);
 			dmi_min_max_mask_uint8_check(fw, table, addr, "Location (bits 0..4)", hdr, 0x5, 0x1, 0xb, 0, 0x1f);
@@ -1732,6 +1734,8 @@ static void dmicheck_entry(fwts_framework *fw,
 
 		case 38: /* 7.39 */
 			table = "IPMI Device Information (Type 38)";
+			if (hdr->length < 0x12)
+				break;
 			dmi_min_max_uint8_check(fw, table, addr, "Interface Type", hdr, 0x4, 0x0, 0x4);
 
 			dmi_reserved_bits_check(fw, table, addr, "Base Addr Modifier/Interrupt Info", hdr, sizeof(uint8_t), 0x10, 2, 2);
@@ -1782,7 +1786,7 @@ static void dmicheck_entry(fwts_framework *fw,
 
 		case 43: /* 7.44 */
 			table = "TPM Device (Type 43)";
-			if (hdr->length < 0x16)
+			if (hdr->length < 0x1b)
 				break;
 			dmi_str_check(fw, table, addr, "Description", hdr, 0x12);
 			dmi_reserved_bits_check(fw, table, addr, "Characteristics", hdr, sizeof(uint64_t), 0x13, 6, 63);
-- 
2.17.1

More information about the fwts-devel mailing list