Jean Delvare
2018-07-24 20:43:59 UTC
If the actual DMI table size is less than the announced maximum
(which is allowed for 64-bit SMBIOS 3 entry points), we may allocate
significantly more memory than is actually needed. If reading from
/dev/mem, there's nothing we can do about that. However, is reading
from sysfs or from a dump file, we can easily check the file size
and compute the actual table size from it. That way we only allocate
the required amount of memory.
Credits to Lionel Debroux for seeding the idea when performing fuzz
testing on dmidecode.
---
util.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- dmidecode.orig/util.c 2018-07-24 13:59:26.482911967 +0200
+++ dmidecode/util.c 2018-07-24 14:09:20.089192615 +0200
@@ -90,16 +90,16 @@ int checksum(const u8 *buf, size_t len)
/*
* Reads all of file from given offset, up to max_len bytes.
- * A buffer of max_len bytes is allocated by this function, and
+ * A buffer of at most max_len bytes is allocated by this function, and
* needs to be freed by the caller.
* This provides a similar usage model to mem_chunk()
*
- * Returns pointer to buffer of max_len bytes, or NULL on error, and
+ * Returns a pointer to the allocated buffer, or NULL on error, and
* sets max_len to the length actually read.
- *
*/
void *read_file(off_t base, size_t *max_len, const char *filename)
{
+ struct stat statbuf;
int fd;
size_t r2 = 0;
ssize_t r;
@@ -124,6 +124,15 @@ void *read_file(off_t base, size_t *max_
goto out;
}
+ /*
+ * Check file size, don't allocate more than can be read.
+ */
+ if (fstat(fd, &statbuf) == 0)
+ {
+ if (base + (off_t)*max_len > statbuf.st_size)
+ *max_len = statbuf.st_size - base;
+ }
+
if ((p = malloc(*max_len)) == NULL)
{
perror("malloc");
(which is allowed for 64-bit SMBIOS 3 entry points), we may allocate
significantly more memory than is actually needed. If reading from
/dev/mem, there's nothing we can do about that. However, is reading
from sysfs or from a dump file, we can easily check the file size
and compute the actual table size from it. That way we only allocate
the required amount of memory.
Credits to Lionel Debroux for seeding the idea when performing fuzz
testing on dmidecode.
---
util.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- dmidecode.orig/util.c 2018-07-24 13:59:26.482911967 +0200
+++ dmidecode/util.c 2018-07-24 14:09:20.089192615 +0200
@@ -90,16 +90,16 @@ int checksum(const u8 *buf, size_t len)
/*
* Reads all of file from given offset, up to max_len bytes.
- * A buffer of max_len bytes is allocated by this function, and
+ * A buffer of at most max_len bytes is allocated by this function, and
* needs to be freed by the caller.
* This provides a similar usage model to mem_chunk()
*
- * Returns pointer to buffer of max_len bytes, or NULL on error, and
+ * Returns a pointer to the allocated buffer, or NULL on error, and
* sets max_len to the length actually read.
- *
*/
void *read_file(off_t base, size_t *max_len, const char *filename)
{
+ struct stat statbuf;
int fd;
size_t r2 = 0;
ssize_t r;
@@ -124,6 +124,15 @@ void *read_file(off_t base, size_t *max_
goto out;
}
+ /*
+ * Check file size, don't allocate more than can be read.
+ */
+ if (fstat(fd, &statbuf) == 0)
+ {
+ if (base + (off_t)*max_len > statbuf.st_size)
+ *max_len = statbuf.st_size - base;
+ }
+
if ((p = malloc(*max_len)) == NULL)
{
perror("malloc");
--
Jean Delvare
SUSE L3 Support
_______________________________________________
https://lists.nongnu.org/mailman/listinfo/dmidecode-devel
Jean Delvare
SUSE L3 Support
_______________________________________________
https://lists.nongnu.org/mailman/listinfo/dmidecode-devel