From 324aab1297506c045a569303cddf42bc1906cefd Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Mon, 4 May 2015 15:46:14 +0100
Subject: [dmi] Avoid overrunning the mem_devs[] and md_maps[] arrays

The DMI table parsing code in open_dmi() currently performs no bounds
checking when populating the mem_devs[] and md_maps[] arrays.  When
running under VMware (which creates 64 entries, most of which are
empty), this causes open_dmi() to write beyond the end of both of
these arrays.  This causes entertainingly undefined behaviour, such as
assuming the existence of over 930,000 active CPU cores.

Fix by truncating the mem_devs[] and md_maps[] arrays as needed.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 dmi.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dmi.c b/dmi.c
index 1f11008..3e5d570 100644
--- a/dmi.c
+++ b/dmi.c
@@ -205,11 +205,13 @@ int open_dmi(void){
 	while(dmi < table_start + eps->tablelength){
 		struct tstruct_header *header = (struct tstruct_header *)dmi;
 		
-		if (header->type == 17)
+		if ((header->type == 17) &&
+		    (mem_devs_count < MAX_DMI_MEMDEVS))
 			mem_devs[mem_devs_count++] = (struct mem_dev *)dmi;
 		
 		// Need fix (SMBIOS/DDR3)
-		if (header->type == 20 || header->type == 1)
+		if ((header->type == 20 || header->type == 1) &&
+		    (md_maps_count < MAX_DMI_MEMDEVS))
 			md_maps[md_maps_count++] = (struct md_map *)dmi;
 
 		// MB_SPEC
-- 
cgit v1.2.3-55-g7522