diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2022-09-05 12:32:44 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2022-09-18 09:17:40 +0200 |
commit | 57e3069641d057a9ca90bb603c86477d5b331ecd (patch) | |
tree | 44674faa3476c474367c442ab4d6382ce170a70c /hw/smbios | |
parent | b00e2c68c5864b4158afc924d868f5c5611a0362 (diff) | |
download | qemu-57e3069641d057a9ca90bb603c86477d5b331ecd.zip qemu-57e3069641d057a9ca90bb603c86477d5b331ecd.tar.gz qemu-57e3069641d057a9ca90bb603c86477d5b331ecd.tar.bz2 |
smbios: sanitize type from external type before checking have_fields_bitmap
test_bit uses header->type as an offset; if the file incorrectly specifies a
type greater than 127, smbios_entry_add will read and write garbage.
To fix this, just pass the smbios data through, assuming the user knows what
to do. Reported by Coverity as CID 1487255.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/smbios')
-rw-r--r-- | hw/smbios/smbios.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c index 60349ee..4c9f664 100644 --- a/hw/smbios/smbios.c +++ b/hw/smbios/smbios.c @@ -1205,13 +1205,15 @@ void smbios_entry_add(QemuOpts *opts, Error **errp) return; } - if (test_bit(header->type, have_fields_bitmap)) { - error_setg(errp, - "can't load type %d struct, fields already specified!", - header->type); - return; + if (header->type <= SMBIOS_MAX_TYPE) { + if (test_bit(header->type, have_fields_bitmap)) { + error_setg(errp, + "can't load type %d struct, fields already specified!", + header->type); + return; + } + set_bit(header->type, have_binfile_bitmap); } - set_bit(header->type, have_binfile_bitmap); if (header->type == 4) { smbios_type4_count++; |