diff options
| author | Michael Brown | 2015-05-04 16:46:14 +0200 |
|---|---|---|
| committer | Michael Brown | 2015-05-04 16:54:18 +0200 |
| commit | 324aab1297506c045a569303cddf42bc1906cefd (patch) | |
| tree | 25193c1b339f2e15649c9994e8ac85db6a7cbd0c | |
| parent | [cmdline] Add "onefail" command-line parameter (diff) | |
| download | memtest86-324aab1297506c045a569303cddf42bc1906cefd.tar.gz memtest86-324aab1297506c045a569303cddf42bc1906cefd.tar.xz memtest86-324aab1297506c045a569303cddf42bc1906cefd.zip | |
[dmi] Avoid overrunning the mem_devs[] and md_maps[] arrays
The DMI table parsing code in open_dmi() currently performs no bounds
checking when populating the mem_devs[] and md_maps[] arrays. When
running under VMware (which creates 64 entries, most of which are
empty), this causes open_dmi() to write beyond the end of both of
these arrays. This causes entertainingly undefined behaviour, such as
assuming the existence of over 930,000 active CPU cores.
Fix by truncating the mem_devs[] and md_maps[] arrays as needed.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
| -rw-r--r-- | dmi.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -205,11 +205,13 @@ int open_dmi(void){ while(dmi < table_start + eps->tablelength){ struct tstruct_header *header = (struct tstruct_header *)dmi; - if (header->type == 17) + if ((header->type == 17) && + (mem_devs_count < MAX_DMI_MEMDEVS)) mem_devs[mem_devs_count++] = (struct mem_dev *)dmi; // Need fix (SMBIOS/DDR3) - if (header->type == 20 || header->type == 1) + if ((header->type == 20 || header->type == 1) && + (md_maps_count < MAX_DMI_MEMDEVS)) md_maps[md_maps_count++] = (struct md_map *)dmi; // MB_SPEC |