We do lsz=efidp_size(dp); rsz=efidp_size(dn); and then we error check
lsz twice. One should be rsz.
We also actually do the whole thing with lsz twice anyway, and fail to
check that dp isn't NULL first.
We're also not error checking that the buffer from our addition is
actually large enough to hold something meaningful. So do that too.
None of that is right, so fix it.
Covscan completely failed to notice this, but complained about something
irrelevant later on in the code that's a result.
Signed-off-by: Peter Jones <pjones@redhat.com>
}
rsz = efidp_size(dp1);
- if (lsz < 0) {
+ if (rsz < 0) {
efi_error("efidp_size(dp1) returned error");
return -1;
}
efi_error("arithmetic overflow computing allocation size");
return -1;
}
+
+ if (newsz < (ssize_t)sizeof(efidp_header)) {
+ errno = EINVAL;
+ efi_error("allocation for new device path is smaller than device path header.");
+ return -1;
+ }
+
new = malloc(newsz);
if (!new) {
efi_error("allocation failed");
return rc;
}
- lsz = efidp_size(dp);
- if (lsz < 0) {
- efi_error("efidp_size(dp) returned error");
- return -1;
+ if (!dp && dn) {
+ rc = efidp_duplicate_path(dn, out);
+ if (rc < 0)
+ efi_error("efidp_duplicate_path() failed");
+ return rc;
}
if (dp && !dn) {
}
lsz = efidp_size(dp);
- if (lsz < 0)
+ if (lsz < 0) {
+ efi_error("efidp_size(dp) returned error");
return -1;
+ }
rsz = efidp_node_size(dn);
- if (rsz < 0)
+ if (rsz < 0) {
+ efi_error("efidp_size(dn) returned error");
return -1;
+ }
if (!dp && dn) {
if (add(rsz, sizeof(end_entire), &newsz)) {