From 8ff32018e8dd53c26d1f0daef118037fdae58c68 Mon Sep 17 00:00:00 2001
From: Jean Delvare <jdelvare@suse.de>
Date: Wed, 1 Aug 2018 09:54:45 +0200
Subject: dmidecode: Avoid OOB read on invalid entry point length

Don't let the entry point checksum verification run beyond the end of
the buffer holding it (32 bytes).

This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
---
 dmidecode.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/dmidecode.c b/dmidecode.c
index fa6ecf1..474ca7b 100644
--- a/dmidecode.c
+++ b/dmidecode.c
@@ -4928,6 +4928,15 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
 	u32 ver;
 	u64 offset;
 
+	/* Don't let checksum run beyond the buffer */
+	if (buf[0x06] > 0x20)
+	{
+		fprintf(stderr,
+			"Entry point length too large (%u bytes, expected %u).\n",
+			(unsigned int)buf[0x06], 0x18U);
+		return 0;
+	}
+
 	if (!checksum(buf, buf[0x06]))
 		return 0;
 
@@ -4966,6 +4975,15 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
 {
 	u16 ver;
 
+	/* Don't let checksum run beyond the buffer */
+	if (buf[0x05] > 0x20)
+	{
+		fprintf(stderr,
+			"Entry point length too large (%u bytes, expected %u).\n",
+			(unsigned int)buf[0x05], 0x1FU);
+		return 0;
+	}
+
 	if (!checksum(buf, buf[0x05])
 	 || memcmp(buf + 0x10, "_DMI_", 5) != 0
 	 || !checksum(buf + 0x10, 0x0F))
-- 
cgit v1.0-41-gc330