|
 |
ac385c |
From 62e8de172dfa707990e3f2721954290499c0e14f Mon Sep 17 00:00:00 2001
|
|
|
ac385c |
From: Peter Jones <pjones@redhat.com>
|
|
|
ac385c |
Date: Mon, 1 May 2017 14:54:15 -0400
|
|
|
ac385c |
Subject: [PATCH 10/22] efidp_append_path(): error check the right variable.
|
|
|
ac385c |
|
|
|
ac385c |
We do lsz=efidp_size(dp); rsz=efidp_size(dn); and then we error check
|
|
|
ac385c |
lsz twice. One should be rsz.
|
|
|
ac385c |
|
|
|
ac385c |
We also actually do the whole thing with lsz twice anyway, and fail to
|
|
|
ac385c |
check that dp isn't NULL first.
|
|
|
ac385c |
|
|
|
ac385c |
We're also not error checking that the buffer from our addition is
|
|
|
ac385c |
actually large enough to hold something meaningful. So do that too.
|
|
|
ac385c |
|
|
|
ac385c |
None of that is right, so fix it.
|
|
|
ac385c |
|
|
|
ac385c |
Covscan completely failed to notice this, but complained about something
|
|
|
ac385c |
irrelevant later on in the code that's a result.
|
|
|
ac385c |
|
|
|
ac385c |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
ac385c |
---
|
|
|
ac385c |
src/dp.c | 26 +++++++++++++++++++-------
|
|
|
ac385c |
1 file changed, 19 insertions(+), 7 deletions(-)
|
|
|
ac385c |
|
|
|
ac385c |
diff --git a/src/dp.c b/src/dp.c
|
|
|
ac385c |
index e9a257e..e700af9 100644
|
|
|
ac385c |
--- a/src/dp.c
|
|
|
ac385c |
+++ b/src/dp.c
|
|
|
ac385c |
@@ -139,7 +139,7 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)
|
|
|
ac385c |
}
|
|
|
ac385c |
|
|
|
ac385c |
rsz = efidp_size(dp1);
|
|
|
ac385c |
- if (lsz < 0) {
|
|
|
ac385c |
+ if (rsz < 0) {
|
|
|
ac385c |
efi_error("efidp_size(dp1) returned error");
|
|
|
ac385c |
return -1;
|
|
|
ac385c |
}
|
|
|
ac385c |
@@ -166,6 +166,13 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)
|
|
|
ac385c |
efi_error("arithmetic overflow computing allocation size");
|
|
|
ac385c |
return -1;
|
|
|
ac385c |
}
|
|
|
ac385c |
+
|
|
|
ac385c |
+ if (newsz < (ssize_t)sizeof(efidp_header)) {
|
|
|
ac385c |
+ errno = EINVAL;
|
|
|
ac385c |
+ efi_error("allocation for new device path is smaller than device path header.");
|
|
|
ac385c |
+ return -1;
|
|
|
ac385c |
+ }
|
|
|
ac385c |
+
|
|
|
ac385c |
new = malloc(newsz);
|
|
|
ac385c |
if (!new) {
|
|
|
ac385c |
efi_error("allocation failed");
|
|
|
ac385c |
@@ -195,10 +202,11 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)
|
|
|
ac385c |
return rc;
|
|
|
ac385c |
}
|
|
|
ac385c |
|
|
|
ac385c |
- lsz = efidp_size(dp);
|
|
|
ac385c |
- if (lsz < 0) {
|
|
|
ac385c |
- efi_error("efidp_size(dp) returned error");
|
|
|
ac385c |
- return -1;
|
|
|
ac385c |
+ if (!dp && dn) {
|
|
|
ac385c |
+ rc = efidp_duplicate_path(dn, out);
|
|
|
ac385c |
+ if (rc < 0)
|
|
|
ac385c |
+ efi_error("efidp_duplicate_path() failed");
|
|
|
ac385c |
+ return rc;
|
|
|
ac385c |
}
|
|
|
ac385c |
|
|
|
ac385c |
if (dp && !dn) {
|
|
|
ac385c |
@@ -209,13 +217,17 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)
|
|
|
ac385c |
}
|
|
|
ac385c |
|
|
|
ac385c |
lsz = efidp_size(dp);
|
|
|
ac385c |
- if (lsz < 0)
|
|
|
ac385c |
+ if (lsz < 0) {
|
|
|
ac385c |
+ efi_error("efidp_size(dp) returned error");
|
|
|
ac385c |
return -1;
|
|
|
ac385c |
+ }
|
|
|
ac385c |
|
|
|
ac385c |
|
|
|
ac385c |
rsz = efidp_node_size(dn);
|
|
|
ac385c |
- if (rsz < 0)
|
|
|
ac385c |
+ if (rsz < 0) {
|
|
|
ac385c |
+ efi_error("efidp_size(dn) returned error");
|
|
|
ac385c |
return -1;
|
|
|
ac385c |
+ }
|
|
|
ac385c |
|
|
|
ac385c |
if (!dp && dn) {
|
|
|
ac385c |
if (add(rsz, sizeof(end_entire), &newsz)) {
|
|
|
ac385c |
--
|
|
|
ac385c |
2.12.2
|
|
|
ac385c |
|