From nobody Thu Jul 25 05:13:24 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WTzYd1rY9z5RHpC;
	Thu, 25 Jul 2024 05:13:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WTzYc6Wf1z4b02;
	Thu, 25 Jul 2024 05:13:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1721884404;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=E5+131ZCWFDZmTiK6lD+jFcIH3jqKrQfAxy+QJfVPG8=;
	b=ZAOi74ZbmvSQj0NTyXirjS+tw3mhCZfB81FjNLcLq9pPxUv6hR2IQpZmzV7tG7M1zXLieT
	vcSuwKysjSfclTyNoJksTUJqU6Vg7BuyS40qh8WhbujJS7pEJhz4vvZpHeEZ15ZPF4DhLe
	qt5yMzXJ0p5dhHn3zXoFINmllTLKLTmxBr6ccvLUN5ZdMeEQCSd63ldmsV+Vxo+8EVrc38
	ssEqpgCDd39c3KkUsPU+pGywVmaIsGbZ9mn9OHEq296WBnHO2ndjES4avPfeZaX48CJ9TU
	xIc66L99shPQVZ5NexTt2JctLC7Qaxs9cJkW/6YCTzN+smXsKfgRKDI35bmQ7g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1721884404; a=rsa-sha256; cv=none;
	b=mHYDvL4/SJGNFV8mSosS6MK0VNABw6hBMCXpqLqU+Om43+S2PTRQ2gMFlMmF3wy3NJjpp6
	6KQqx2J1mX8mXJwHn/RqABLpEmPQAur0Yn5taSCCcjlDRWaBY3s/CEQQF28Ms3MZPZ/SAh
	olUJm94g1osl3V7eLr6sufnI8zY+54XxRmUIuDyG2WffgA0jLDCilcxBKYWc8bn7wayT0r
	Wpdnw7Wg1IwlweXcZeaBUyO0TZ2ntVE639yVBSuy555xboNlGJy1SgPKPMjoxN3HQbV7sP
	xPyI0iHHXAUfHUsGPxxVXR0HcHuwGn7KcwekWycH8po6nwLmWL+odOPLKf6bUg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1721884404;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=E5+131ZCWFDZmTiK6lD+jFcIH3jqKrQfAxy+QJfVPG8=;
	b=LzZEHs49VI7igb1ILCwewUcJK434tlLz/i6BrDrwQVpgbldQSkMQ6oZf8FUe73Qe1YHIVd
	B8X9pxstGaXVX88ucrXf0yRyz5I5hWLeCfb8cn9iUpY3ew1AFqLHmI2R5J4Rq7NIXFAkQT
	HA5HOWx45KPsMyyYmX1vyPVf1tfk95AGaUuntTTgCfGFUz64B+/9fYoTrLefhPw8c09cB6
	sfqxcVogEV67k3YbhwaCXmnN7FpF7jYHswCbA8ML0XxahUb+IVyTOaEPZ3xMsha74GK483
	MK3fYpbATBuxXerledx4otuO5Q8MqpoSga5YL8cILdM4+QVFIVSAscLDC657jg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WTzYc67mtzhjj;
	Thu, 25 Jul 2024 05:13:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 46P5DOwV082494;
	Thu, 25 Jul 2024 05:13:24 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 46P5DOOG082491;
	Thu, 25 Jul 2024 05:13:24 GMT
	(envelope-from git)
Date: Thu, 25 Jul 2024 05:13:24 GMT
Message-Id: <202407250513.46P5DOOG082491@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Warner Losh <imp@FreeBSD.org>
Subject: git: 06326613afeb - main - smbios: Add length sanity
  checking
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: imp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 06326613afebc645433c6bf8a2249cf978db9e71
Auto-Submitted: auto-generated

The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=06326613afebc645433c6bf8a2249cf978db9e71

commit 06326613afebc645433c6bf8a2249cf978db9e71
Author:     Warner Losh <imp@FreeBSD.org>
AuthorDate: 2024-07-25 05:02:27 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2024-07-25 05:09:57 +0000

    smbios: Add length sanity checking
    
    D28743 was commited, reverted and then f689cb23b2782 landed before it
    was recommitted. However, D28743 included an extra length check. Redo
    that functionality so we check both the number of entries as well as the
    length checks for wacky data.
    
    Sponsored by:           Netflix
    Reviewed by:            gallatin
    Differential Revision:  https://reviews.freebsd.org/D45763
---
 sys/dev/ipmi/ipmi_smbios.c | 4 ++--
 sys/dev/smbios/smbios.h    | 8 +++++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/sys/dev/ipmi/ipmi_smbios.c b/sys/dev/ipmi/ipmi_smbios.c
index 546db8f2677c..f9fc958d9739 100644
--- a/sys/dev/ipmi/ipmi_smbios.c
+++ b/sys/dev/ipmi/ipmi_smbios.c
@@ -192,8 +192,8 @@ ipmi_smbios_probe(struct ipmi_get_info *info)
 	/* Now map the actual table and walk it looking for an IPMI entry. */
 	table = pmap_mapbios(header->structure_table_address,
 	    header->structure_table_length);
-	smbios_walk_table(table, header->number_structures, smbios_ipmi_info,
-	    info);
+	smbios_walk_table(table, header->number_structures,
+	    header->structure_table_length, smbios_ipmi_info, info);
 
 	/* Unmap everything. */
 	pmap_unmapbios(table, header->structure_table_length);
diff --git a/sys/dev/smbios/smbios.h b/sys/dev/smbios/smbios.h
index 42b7e1181486..01e67556cfc0 100644
--- a/sys/dev/smbios/smbios.h
+++ b/sys/dev/smbios/smbios.h
@@ -80,11 +80,13 @@ struct smbios_structure_header {
 typedef void (*smbios_callback_t)(struct smbios_structure_header *, void *);
 
 static inline void
-smbios_walk_table(uint8_t *p, int entries, smbios_callback_t cb, void *arg)
+smbios_walk_table(uint8_t *p, int entries, vm_size_t len,
+    smbios_callback_t cb, void *arg)
 {
 	struct smbios_structure_header *s;
+	uint8_t *endp = p + len;
 
-	while (entries--) {
+	while (entries-- && p < endp) {
 		s = (struct smbios_structure_header *)p;
 		cb(s, arg);
 
@@ -93,7 +95,7 @@ smbios_walk_table(uint8_t *p, int entries, smbios_callback_t cb, void *arg)
 		 * formatted area of this structure.
 		 */
 		p += s->length;
-		while (!(p[0] == 0 && p[1] == 0))
+		while (p + 1 < endp && !(p[0] == 0 && p[1] == 0))
 			p++;
 
 		/*