dp-hw.c: fix incorrect error handling of efidp_node_size() invocations

One of our analysis tools noticed the following error: Error: OVERRUN (CWE-119): efivar-38/src/dp-hw.c:64: return_constant: Function call "efidp_node_size(dp)" may return -1. efivar-38/src/dp-hw.c:64: overrun-buffer-arg: Calling "format_hex_helper" with "(uint8_t *)dp + 4" and "efidp_node_size(dp) - 4L" is suspicious because of the very large index, 18446744073709551611. The index may be due to a negative parameter being interpreted as unsigned. # 62| format(buf, size, off, "Hardware", # 63| "HardwarePath(%d,", dp->subtype); # 64|-> format_hex(buf, size, off, "Hardware", (uint8_t *)dp+4, # 65| efidp_node_size(dp)-4); # 66| format(buf, size, off, "Hardware", ")"); This patch adds error checking to that use of efidp_node_size(). Resolves: RHEL-27676 Signed-off-by: Peter Jones <[email protected]>
rhboot · Mar 6, 2024 · b580d3b · b580d3b
1 parent 4e09015
commit b580d3b
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/src/dp-hw.c b/src/dp-hw.c
@@ -58,13 +58,20 @@ _format_hw_dn(unsigned char *buf, size_t size, const_efidp dp)
 		format(buf, size, off, "BMC", "BMC(%d,0x%"PRIx64")",
 		       dp->bmc.interface_type, dp->bmc.base_addr);
 		break;
-	default:
+	default: {
+		ssize_t sz = efidp_node_size(dp);
+
+		if (SUB(sz, 4, &sz) ||
+		    sz < 0) {
+			efi_error("bad DP node size");
+			return -1;
+		}
 		format(buf, size, off, "Hardware",
 		       "HardwarePath(%d,", dp->subtype);
-		format_hex(buf, size, off, "Hardware", (uint8_t *)dp+4,
-			   efidp_node_size(dp)-4);
+		format_hex(buf, size, off, "Hardware", (uint8_t *)dp+4, sz);
 		format(buf, size, off, "Hardware", ")");
 		break;
+		 }
 	}
 	return off;
 }