OSDN Git Service

efidp_append_path(): error check the right variable.
authorPeter Jones <pjones@redhat.com>
Mon, 1 May 2017 18:54:15 +0000 (14:54 -0400)
committerPeter Jones <pjones@redhat.com>
Mon, 1 May 2017 20:06:30 +0000 (16:06 -0400)
We do lsz=efidp_size(dp); rsz=efidp_size(dn); and then we error check
lsz twice.  One should be rsz.

We also actually do the whole thing with lsz twice anyway, and fail to
check that dp isn't NULL first.

We're also not error checking that the buffer from our addition is
actually large enough to hold something meaningful.  So do that too.

None of that is right, so fix it.

Covscan completely failed to notice this, but complained about something
irrelevant later on in the code that's a result.

Signed-off-by: Peter Jones <pjones@redhat.com>
src/dp.c

index e9a257e..e700af9 100644 (file)
--- a/src/dp.c
+++ b/src/dp.c
@@ -139,7 +139,7 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)
        }
 
        rsz = efidp_size(dp1);
-       if (lsz < 0) {
+       if (rsz < 0) {
                efi_error("efidp_size(dp1) returned error");
                return -1;
        }
@@ -166,6 +166,13 @@ efidp_append_path(const_efidp dp0, const_efidp dp1, efidp *out)
                efi_error("arithmetic overflow computing allocation size");
                return -1;
        }
+
+       if (newsz < (ssize_t)sizeof(efidp_header)) {
+               errno = EINVAL;
+               efi_error("allocation for new device path is smaller than device path header.");
+               return -1;
+       }
+
        new = malloc(newsz);
        if (!new) {
                efi_error("allocation failed");
@@ -195,10 +202,11 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)
                return rc;
        }
 
-       lsz = efidp_size(dp);
-       if (lsz < 0) {
-               efi_error("efidp_size(dp) returned error");
-               return -1;
+       if (!dp && dn) {
+               rc = efidp_duplicate_path(dn, out);
+               if (rc < 0)
+                       efi_error("efidp_duplicate_path() failed");
+               return rc;
        }
 
        if (dp && !dn) {
@@ -209,13 +217,17 @@ efidp_append_node(const_efidp dp, const_efidp dn, efidp *out)
        }
 
        lsz = efidp_size(dp);
-       if (lsz < 0)
+       if (lsz < 0) {
+               efi_error("efidp_size(dp) returned error");
                return -1;
+       }
 
 
        rsz = efidp_node_size(dn);
-       if (rsz < 0)
+       if (rsz < 0) {
+               efi_error("efidp_size(dn) returned error");
                return -1;
+       }
 
        if (!dp && dn) {
                if (add(rsz, sizeof(end_entire), &newsz)) {