dmidecode: Fortify entry point length checks

Ensure that the SMBIOS entry point is long enough to include all the fields we need. Otherwise it is pointless to even attempt to verify its checksum. A similar check was added to the SMBIOS entry point parser in the Linux kernel. Signed-off-by: Jean Delvare <jdelvare@suse.de>
author: Jean Delvare <jdelvare@suse.de> 2022-12-16 10:36:55 +0100
committer: Jean Delvare <jdelvare@suse.de> 2022-12-16 10:36:55 +0100
commit: 67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9 (patch)
tree: f2212f5827915383594e522cf6c608be54a1b223
parent: f8016734735486c99eacc1bca975913535905c1f (diff)
download: dmidecode-git-67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/dmidecode.c b/dmidecode.c
index 9aeff91..4ce56e5 100644
--- a/dmidecode.c
+++ b/dmidecode.c
@@ -5700,7 +5700,8 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
 		return 0;
 	}
 
-	if (!checksum(buf, buf[0x06]))
+	if (buf[0x06] < 0x18
+	 || !checksum(buf, buf[0x06]))
 		return 0;
 
 	ver = (buf[0x07] << 16) + (buf[0x08] << 8) + buf[0x09];
@@ -5747,7 +5748,12 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
 		return 0;
 	}
 
-	if (!checksum(buf, buf[0x05])
+	/*
+	 * The size of this structure is 0x1F bytes, but we also accept value
+	 * 0x1E due to a mistake in SMBIOS specification version 2.1.
+	 */
+	if (buf[0x05] < 0x1E
+	 || !checksum(buf, buf[0x05])
 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
 	 || !checksum(buf + 0x10, 0x0F))
 		return 0;
author	Jean Delvare <jdelvare@suse.de>	2022-12-16 10:36:55 +0100
committer	Jean Delvare <jdelvare@suse.de>	2022-12-16 10:36:55 +0100
commit	67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9 (patch)
tree	f2212f5827915383594e522cf6c608be54a1b223
parent	f8016734735486c99eacc1bca975913535905c1f (diff)
download	dmidecode-git-67dc0b27d50e3986d5e7cd35ec25cc5901a2e9e9.tar.gz