dmidecode: Avoid OOB read on invalid entry point length

Don't let the entry point checksum verification run beyond the end of
the buffer holding it (32 bytes).

This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.

Signed-off-by: Jean Delvare <jdelvare@suse.de>

1 files changed, 18 insertions, 0 deletions

diff --git a/dmidecode.c b/dmidecode.c
index fa6ecf1..474ca7b 100644
--- a/dmidecode.c
+++ b/dmidecode.c
@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
 	u32 ver;
 	u64 offset;
 
+	/* Don't let checksum run beyond the buffer */
+	if (buf[0x06] > 0x20)
+	{
+		fprintf(stderr,
+			"Entry point length too large (%u bytes, expected %u).\n",
+			(unsigned int)buf[0x06], 0x18U);
+		return 0;
+	}
+
 	if (!checksum(buf, buf[0x06]))
 		return 0;
 
@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
 {
 	u16 ver;
 
+	/* Don't let checksum run beyond the buffer */
+	if (buf[0x05] > 0x20)
+	{
+		fprintf(stderr,
+			"Entry point length too large (%u bytes, expected %u).\n",
+			(unsigned int)buf[0x05], 0x1FU);
+		return 0;
+	}
+
 	if (!checksum(buf, buf[0x05])
 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
 	 || !checksum(buf + 0x10, 0x0F))