From patchwork Wed Apr 11 23:50:51 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin Ian King X-Patchwork-Id: 151941 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 5D3B6B705D for ; Thu, 12 Apr 2012 09:52:35 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1SI7L0-0001zV-5x for incoming@patchwork.ozlabs.org; Wed, 11 Apr 2012 23:52:34 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1SI7KG-0001wz-9X for fwts-devel@lists.ubuntu.com; Wed, 11 Apr 2012 23:51:48 +0000 Received: from cpc19-craw6-2-0-cust5.croy.cable.virginmedia.com ([77.102.228.6] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1SI7KG-00051U-5t for fwts-devel@lists.ubuntu.com; Wed, 11 Apr 2012 23:51:48 +0000 From: Colin King To: fwts-devel@lists.ubuntu.com Subject: [PATCH 06/11] lib: fwts_acpi_tables: ensure we don't overflow a table name when given bad input Date: Thu, 12 Apr 2012 00:50:51 +0100 Message-Id: <1334188256-26566-7-git-send-email-colin.king@canonical.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1334188256-26566-1-git-send-email-colin.king@canonical.com> References: <1334188256-26566-1-git-send-email-colin.king@canonical.com> X-BeenThere: fwts-devel@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Firmware Test Suite Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: fwts-devel-bounces@lists.ubuntu.com Errors-To: fwts-devel-bounces@lists.ubuntu.com From: Colin Ian King Signed-off-by: Colin Ian King Acked-by: Keng-Yu Lin Acked-by: Alex Hung --- src/lib/src/fwts_acpi_tables.c | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/src/lib/src/fwts_acpi_tables.c b/src/lib/src/fwts_acpi_tables.c index 0a90d37..f09e94c 100644 --- a/src/lib/src/fwts_acpi_tables.c +++ b/src/lib/src/fwts_acpi_tables.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -308,25 +309,40 @@ static uint8_t *fwts_acpi_load_table_from_acpidump(FILE *fp, char *name, uint64_ { uint32_t offset; uint8_t data[16]; - char buffer[80]; + char buffer[128]; uint8_t *table = NULL; char *ptr = buffer; size_t len = 0; unsigned long long table_addr; + ptrdiff_t name_len; *size = 0; if (fgets(buffer, sizeof(buffer), fp) == NULL) return NULL; - for (ptr = buffer; *ptr && *ptr != '@'; ptr++) - ; - - if ((*ptr != '@') || ((ptr - buffer) < 5)) - return NULL; /* Bad name? */ + /* + * Parse tablename followed by address, e.g. + * DSTD @ 0xbfa02344 + * SSDT4 @ 0xbfa0f230 + */ + ptr = strstr(buffer, "@ 0x"); + if (ptr == NULL) + return NULL; /* Can't find table name */ + + name_len = ptr - buffer; + /* + * We should have no more than the table name (4..5 chars) + * plus a space left between the start of the buffer and + * the @ sign. If we have more then something is wrong with + * the data. So just ignore this garbage as we don't want to + * overflow the name on the following strcpy() + */ + if ((name_len > 6) || (name_len < 5)) + return NULL; /* Name way too long or too short */ if (sscanf(ptr, "@ 0x%Lx\n", &table_addr) < 1) - return NULL; + return NULL; /* Can't parse address */ *(ptr-1) = '\0'; strcpy(name, buffer);