git: 39bda097c037 - main - pci: propagate vpd read error

From: Ryan Libby <rlibby_at_FreeBSD.org>
Date: Sun, 07 Jul 2024 23:47:25 UTC
The branch main has been updated by rlibby:

URL: https://cgit.FreeBSD.org/src/commit/?id=39bda097c03780e26e6a25ff59a3e8e77c77563f

commit 39bda097c03780e26e6a25ff59a3e8e77c77563f
Author:     Ryan Libby <rlibby@FreeBSD.org>
AuthorDate: 2024-07-07 23:46:58 +0000
Commit:     Ryan Libby <rlibby@FreeBSD.org>
CommitDate: 2024-07-07 23:46:58 +0000

    pci: propagate vpd read error
    
    On read error, we would return -1, but not handle it, causing a zero
    size malloc of value, and then we wouldd unconditionally write
    value[-1 + 1] = '\0'.  This should be harmless in terms of buffer
    overflow because we should get a minimum non-zero size allocation from
    malloc, but it also effectively swallowed the error.
    
    Reported by:    GCC -Wstringop-overflow
    Reviewed by:    kib, se
    Differential Revision:  https://reviews.freebsd.org/D45895
---
 sys/dev/pci/pci.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/dev/pci/pci.c b/sys/dev/pci/pci.c
index 9661cfd19db7..171c6b710a32 100644
--- a/sys/dev/pci/pci.c
+++ b/sys/dev/pci/pci.c
@@ -1190,7 +1190,7 @@ vpd_read_elem_data(struct vpd_readstate *vrs, char keyword[2], char **value, int
 	int len;
 
 	len = vpd_read_elem_head(vrs, keyword);
-	if (len > maxlen)
+	if (len < 0 || len > maxlen)
 		return (-1);
 	*value = vpd_read_value(vrs, len);
 
@@ -1211,7 +1211,7 @@ vpd_fixup_cksum(struct vpd_readstate *vrs, char *rvstring, int len)
 }
 
 /* fetch one read-only element and return size of heading + data */
-static size_t
+static int
 next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize)
 {
 	struct pcicfg_vpd *vpd;
@@ -1245,7 +1245,7 @@ next_vpd_ro_elem(struct vpd_readstate *vrs, int maxsize)
 }
 
 /* fetch one writable element and return size of heading + data */
-static size_t
+static int
 next_vpd_rw_elem(struct vpd_readstate *vrs, int maxsize)
 {
 	struct pcicfg_vpd *vpd;