From b8771d0b1d660dfe34d55ddf320495325315d1d9 Mon Sep 17 00:00:00 2001 From: Michal Simek Date: Fri, 6 Nov 2020 13:55:45 +0100 Subject: [PATCH] fru: ops: Do not let parser to write data to not allocated space If customs fields in board area are used it will likely go over allocated space in struct fru_board_data. That's why calculate limit of this structure to make sure that different data is not rewritten by accident. When limit is reached stop to record fields. Signed-off-by: Michal Simek --- board/xilinx/common/fru_ops.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/board/xilinx/common/fru_ops.c b/board/xilinx/common/fru_ops.c index affcb121aa..b4cd3d4998 100644 --- a/board/xilinx/common/fru_ops.c +++ b/board/xilinx/common/fru_ops.c @@ -163,12 +163,15 @@ static int fru_parse_board(unsigned long addr) { u8 i, type; int len; - u8 *data, *term; + u8 *data, *term, *limit; memcpy(&fru_data.brd.ver, (void *)addr, 6); addr += 6; data = (u8 *)&fru_data.brd.manufacturer_type_len; + /* Record max structure limit not to write data over allocated space */ + limit = data + sizeof(struct fru_board_data); + for (i = 0; ; i++, data += FRU_BOARD_MAX_LEN) { len = fru_check_type_len(*(u8 *)addr, fru_data.brd.lang_code, &type); @@ -178,6 +181,9 @@ static int fru_parse_board(unsigned long addr) if (len == -EINVAL) break; + /* Stop when amount of chars is more then fields to record */ + if (data + len > limit) + break; /* This record type/len field */ *data++ = *(u8 *)addr;