From 7bc852d94dbf01d4feacd4f2a23b1ac22aea694c Mon Sep 17 00:00:00 2001 From: Ryan Libby Date: Sun, 7 Jul 2024 16:46:58 -0700 Subject: [PATCH] pci: propagate vpd read error On read error, we would return -1, but not handle it, causing a zero size malloc of value, and then we wouldd unconditionally write value[-1 + 1] = '\0'. This should be harmless in terms of buffer overflow because we should get a minimum non-zero size allocation from malloc, but it also effectively swallowed the error. Reported by: GCC -Wstringop-overflow Reviewed by: kib, se Differential Revision: https://reviews.freebsd.org/D45895 (cherry picked from commit 39bda097c03780e26e6a25ff59a3e8e77c77563f) --- sys/dev/pci/pci.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/dev/pci/pci.c b/sys/dev/pci/pci.c index dde50afd931..8224a6829f3 100644 --- a/sys/dev/pci/pci.c +++ b/sys/dev/pci/pci.c @@ -1196,7 +1196,7 @@ vpd_read_elem_data(struct vpd_readstate *vrs, char keyword[2], char **value, int int len; len = vpd_read_elem_head(vrs, keyword); - if (len > maxlen) + if (len < 0 || len > maxlen) return (-1); *value = vpd_read_value(vrs, len); @@ -1217,7 +1217,7 @@ vpd_fixup_cksum(struct vpd_readstate *vrs, char *rvstring, int len) } /* fetch one read-only element and return size of heading + data */ -static size_t +static int next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize) { struct pcicfg_vpd *vpd; @@ -1251,7 +1251,7 @@ next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize) } /* fetch one writable element and return size of heading + data */ -static size_t +static int next_vpd_rw_elem(struct vpd_readstate *vrs, int maxsize) { struct pcicfg_vpd *vpd;