dp-acpi.c: fix incorrect error handling of efidp_node_size() invocations

One of our analysis tools noticed the following error: Error: OVERRUN (CWE-119): efivar-38/src/dp-acpi.c:106: return_constant: Function call "efidp_node_size(dp)" may return -1. efivar-38/src/dp-acpi.c:106: overrun-buffer-arg: Calling "format_hex_helper" with "(uint8_t *)dp + 4" and "(efidp_node_size(dp) - 4L) / 2L" is suspicious because of the very large index, 18446744073709551614. The index may be due to a negative parameter being interpreted as unsigned. # 104| debug("DP subtype %d, formatting as ACPI Path", dp->subtype); # 105| format(buf, size, off, "AcpiPath", "AcpiPath(%d,", dp->subtype); # 106|-> format_hex(buf, size, off, "AcpiPath", (uint8_t *)dp+4, # 107| (efidp_node_size(dp)-4) / 2); # 108| format(buf, size, off, "AcpiPath", ")"); This patch adds error checking to that use of efidp_node_size(). Resolves: RHEL-27676 Signed-off-by: Peter Jones <[email protected]>
rhboot · Mar 6, 2024 · 4e09015 · 4e09015
1 parent 57d1023
commit 4e09015
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/src/dp-acpi.c b/src/dp-acpi.c
@@ -101,10 +101,17 @@ _format_acpi_dn(unsigned char *buf, size_t size, const_efidp dp)
 		return off;
 	} else if (dp->subtype != EFIDP_ACPI_HID_EX &&
 		   dp->subtype != EFIDP_ACPI_HID) {
+		ssize_t limit = efidp_node_size(dp);
+
 		debug("DP subtype %d, formatting as ACPI Path", dp->subtype);
+		if (SUB(limit, 4, &limit) ||
+		    DIV(limit, 2, &limit) ||
+		    limit < 0) {
+			efi_error("bad DP node size");
+			return -1;
+		}
 		format(buf, size, off, "AcpiPath", "AcpiPath(%d,", dp->subtype);
-		format_hex(buf, size, off, "AcpiPath", (uint8_t *)dp+4,
-			   (efidp_node_size(dp)-4) / 2);
+		format_hex(buf, size, off, "AcpiPath", (uint8_t *)dp+4, limit);
 		format(buf, size, off, "AcpiPath", ")");
 		return off;
 	} else if (dp->subtype == EFIDP_ACPI_HID_EX) {