summaryrefslogtreecommitdiffstats
path: root/src/interface/efi
diff options
context:
space:
mode:
authorMichael Brown2016-06-22 10:07:20 +0200
committerMichael Brown2016-06-22 10:07:20 +0200
commit632e57f0f36d9b48f574db273a19e26bf592fc99 (patch)
tree76cc06787e8e7b1b34f0a32f498732e52b75c60d /src/interface/efi
parent[efi] Report failures to stop the EFI timer tick event (diff)
downloadipxe-632e57f0f36d9b48f574db273a19e26bf592fc99.tar.gz
ipxe-632e57f0f36d9b48f574db273a19e26bf592fc99.tar.xz
ipxe-632e57f0f36d9b48f574db273a19e26bf592fc99.zip
[efi] Do not copy garbage bytes into SNP device path MAC address
The SNP device path includes the network device's MAC address within the MAC_ADDR_DEVICE_PATH.MacAddress field. We check that the link-layer address will fit within this field, and then perform the copy using the length of the destination buffer. At 32 bytes, the MacAddress field is actually larger than the current maximum iPXE link-layer address. The copy therefore overflows the source buffer, resulting in trailing garbage bytes being appended to the device path's MacAddress. This is invisible in debug messages, since the DevicePathToText protocol will render only the length implied by the interface type. Fix by copying only the actual length of the link-layer address (which we have already verified will not overflow the destination buffer). Debugged-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/interface/efi')
-rw-r--r--src/interface/efi/efi_snp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/interface/efi/efi_snp.c b/src/interface/efi/efi_snp.c
index a6e94c00..e6388bf6 100644
--- a/src/interface/efi/efi_snp.c
+++ b/src/interface/efi/efi_snp.c
@@ -1651,7 +1651,7 @@ static int efi_snp_probe ( struct net_device *netdev ) {
macpath->Header.SubType = MSG_MAC_ADDR_DP;
macpath->Header.Length[0] = sizeof ( *macpath );
memcpy ( &macpath->MacAddress, netdev->ll_addr,
- sizeof ( macpath->MacAddress ) );
+ netdev->ll_protocol->ll_addr_len );
macpath->IfType = ntohs ( netdev->ll_protocol->ll_proto );
if ( ( tag = vlan_tag ( netdev ) ) ) {
vlanpath = ( ( ( void * ) macpath ) + sizeof ( *macpath ) );