diff options
| author | Warner Losh <imp@FreeBSD.org> | 2023-05-01 21:12:41 +0000 |
|---|---|---|
| committer | Warner Losh <imp@FreeBSD.org> | 2023-05-01 21:12:41 +0000 |
| commit | a5b4ec5281929a9b7ef4a8005bb4b0035322e922 (patch) | |
| tree | 563250a887fb709b3ee7a9c5fc35d5f09f4246a4 | |
| parent | c5e433b99ed3ddef0eb4fa937f38c34d4a3c4ae0 (diff) | |
| download | src-a5b4ec5281929a9b7ef4a8005bb4b0035322e922.tar.gz src-a5b4ec5281929a9b7ef4a8005bb4b0035322e922.zip | |
stand: More protection against malformed smbios tables
Add some more sanity checks to make sure we don't march off the end of
the table. Typically, smbios structures are well formed, or Windows
wouldn't boot. Sometimes they aren't, and this at least fails safe.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D39794
| -rw-r--r-- | stand/libsa/smbios.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/stand/libsa/smbios.c b/stand/libsa/smbios.c index a88d3ac4ab69..01083fdfd756 100644 --- a/stand/libsa/smbios.c +++ b/stand/libsa/smbios.c @@ -520,19 +520,23 @@ smbios_find_struct(int type) { caddr_t dmi; size_t i; + caddr_t ep; if (smbios.addr == NULL) return (NULL); + ep = smbios.addr + smbios.length; for (dmi = smbios.addr, i = 0; - dmi < smbios.addr + smbios.length && i < smbios.count; i++) { - if (SMBIOS_GET8(dmi, 0) == type) + dmi < ep && i < smbios.count; i++) { + if (SMBIOS_GET8(dmi, 0) == type) { return dmi; + } /* Find structure terminator. */ dmi = SMBIOS_GETSTR(dmi); - while (SMBIOS_GET16(dmi, 0) != 0) + while (SMBIOS_GET16(dmi, 0) != 0 && dmi < ep) { dmi++; - dmi += 2; + } + dmi += 2; /* For checksum */ } return (NULL); |