diff options
author | Stewart Smith <stewart@linux.ibm.com> | 2019-03-18 16:52:17 +1100 |
---|---|---|
committer | Stewart Smith <stewart@linux.ibm.com> | 2019-03-20 14:27:08 +1100 |
commit | c0faa923216836d25ed55c030cd576bbac3ca1d3 (patch) | |
tree | fcafaa083eb26f3144c856b5d2574a1329b1bad2 /hdata | |
parent | fedb949b71795512a38dc2fa6d71a3371a7d8975 (diff) | |
download | skiboot-c0faa923216836d25ed55c030cd576bbac3ca1d3.zip skiboot-c0faa923216836d25ed55c030cd576bbac3ca1d3.tar.gz skiboot-c0faa923216836d25ed55c030cd576bbac3ca1d3.tar.bz2 |
hdata: Add protection against corrupt ntuples structure
Found using afl-lop on P9 HDAT. Pretty obvious what the problem is once
you look at it, and it's much better having a controlled failure mode
than just going off randomly into memory and segfaulting.
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.ibm.com>
Diffstat (limited to 'hdata')
-rw-r--r-- | hdata/spira.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/hdata/spira.c b/hdata/spira.c index 5621870..43c76f9 100644 --- a/hdata/spira.c +++ b/hdata/spira.c @@ -215,9 +215,30 @@ struct HDIF_common_hdr *__get_hdif(struct spira_ntuple *n, const char id[], const char *file, int line) { struct HDIF_common_hdr *h = ntuple_addr(n); + u16 act_cnt, alloc_cnt; + u32 act_len, alloc_len; + if (!spira_check_ptr(h, file, line)) return NULL; + act_cnt = be16_to_cpu(n->act_cnt); + alloc_cnt = be16_to_cpu(n->alloc_cnt); + + if (act_cnt > alloc_cnt) { + prerror("SPIRA: bad ntuple, act_cnt > alloc_cnt (%u > %u)\n", + act_cnt, alloc_cnt); + return NULL; + } + + act_len = be32_to_cpu(n->act_len); + alloc_len = be32_to_cpu(n->alloc_len); + + if (act_len > alloc_len) { + prerror("SPIRA: bad ntuple, act_len > alloc_len (%u > %u)\n", + act_len, alloc_len); + return NULL; + } + if (!HDIF_check(h, id)) { prerror("SPIRA: bad tuple %p: expected %s at %s line %d\n", h, id, file, line); |