pci: propagate vpd read error

On read error, we would return -1, but not handle it, causing a zero size malloc of value, and then we wouldd unconditionally write value[-1 + 1] = '\0'. This should be harmless in terms of buffer overflow because we should get a minimum non-zero size allocation from malloc, but it also effectively swallowed the error. Reported by: GCC -Wstringop-overflow Reviewed by: kib, se Differential Revision: https://reviews.freebsd.org/D45895 (cherry picked from commit 39bda097c03780e26e6a25ff59a3e8e77c77563f)
2026-05-28 04:12:45 -04:00 · 2024-07-07 16:46:58 -07:00 · 2024-07-07 16:46:58 -07:00 · 7bc852d94d
commit 7bc852d94d
parent 62c010b651
1 changed files with 3 additions and 3 deletions
--- a/sys/dev/pci/pci.c
+++ b/sys/dev/pci/pci.c
@ -1196,7 +1196,7 @@ vpd_read_elem_data(struct vpd_readstate *vrs, char keyword[2], char **value, int
 	int len;

 	len = vpd_read_elem_head(vrs, keyword);
-	if (len > maxlen)
+	if (len < 0 || len > maxlen)
 		return (-1);
 	*value = vpd_read_value(vrs, len);

@ -1217,7 +1217,7 @@ vpd_fixup_cksum(struct vpd_readstate *vrs, char *rvstring, int len)
 }

 /* fetch one read-only element and return size of heading + data */
-static size_t
+static int
 next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize)
 {
 	struct pcicfg_vpd *vpd;
@ -1251,7 +1251,7 @@ next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize)
 }

 /* fetch one writable element and return size of heading + data */
-static size_t
+static int
 next_vpd_rw_elem(struct vpd_readstate *vrs, int maxsize)
 {
 	struct pcicfg_vpd *vpd;