a4c0e60725
This patch fixes a few minor CBFS parsing edge cases that could lead to unintended behavior: the CBFS attribute parser could have run into an infinite loop if an attribute's length was (accidentally or maliciously) invalid. A length of 0 would have caused it to read the same attribute over and over again without making forward progress, while a very large length could have caused an overflow that makes it go backwards to find the next attribute. Also, the filename was not guaranteed to be null-terminated which could have resulted in out-of-bounds reads on a few error messages. Finally, clarify the validity guarantees for CBFS header fields offered by cbfs_walk() in the comment explaining cbfs_mdata. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: Ie569786e5bec355b522f6580f53bdd8b16a4d726 Reviewed-on: https://review.coreboot.org/c/coreboot/+/57569 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Jakub Czapiga <jacz@semihalf.com> |
||
|---|---|---|
| .. | ||
| include/commonlib/bsd | ||
| cbfs_mcache.c | ||
| cbfs_private.c | ||
| elog.c | ||
| lz4.c.inc | ||
| lz4_wrapper.c | ||