git: 7bc852d94dbf - stable/14 - pci: propagate vpd read error
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Apr 2025 18:30:30 UTC
The branch stable/14 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=7bc852d94dbf01d4feacd4f2a23b1ac22aea694c
commit 7bc852d94dbf01d4feacd4f2a23b1ac22aea694c
Author: Ryan Libby <rlibby@FreeBSD.org>
AuthorDate: 2024-07-07 23:46:58 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2025-04-29 14:17:01 +0000
pci: propagate vpd read error
On read error, we would return -1, but not handle it, causing a zero
size malloc of value, and then we wouldd unconditionally write
value[-1 + 1] = '\0'. This should be harmless in terms of buffer
overflow because we should get a minimum non-zero size allocation from
malloc, but it also effectively swallowed the error.
Reported by: GCC -Wstringop-overflow
Reviewed by: kib, se
Differential Revision: https://reviews.freebsd.org/D45895
(cherry picked from commit 39bda097c03780e26e6a25ff59a3e8e77c77563f)
---
sys/dev/pci/pci.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/dev/pci/pci.c b/sys/dev/pci/pci.c
index dde50afd9319..8224a6829f3e 100644
--- a/sys/dev/pci/pci.c
+++ b/sys/dev/pci/pci.c
@@ -1196,7 +1196,7 @@ vpd_read_elem_data(struct vpd_readstate *vrs, char keyword[2], char **value, int
int len;
len = vpd_read_elem_head(vrs, keyword);
- if (len > maxlen)
+ if (len < 0 || len > maxlen)
return (-1);
*value = vpd_read_value(vrs, len);
@@ -1217,7 +1217,7 @@ vpd_fixup_cksum(struct vpd_readstate *vrs, char *rvstring, int len)
}
/* fetch one read-only element and return size of heading + data */
-static size_t
+static int
next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize)
{
struct pcicfg_vpd *vpd;
@@ -1251,7 +1251,7 @@ next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize)
}
/* fetch one writable element and return size of heading + data */
-static size_t
+static int
next_vpd_rw_elem(struct vpd_readstate *vrs, int maxsize)
{
struct pcicfg_vpd *vpd;