cbfs: Prevent overflow and infinite loop in cbfs_walk
CBFS file with lenth of (UINT32_MAX - cbfs_file.offset + 1) causes overflow, making cbfs_walk() being stuck in an infinite loop, and checking the same file. This patch makes cbfs_walk() skip file headers with incorrect data_offset or data_length. Signed-off-by: Jakub Czapiga <jacz@semihalf.com> Change-Id: I70020e347087cbd8134a1a60177fa9eef63fb7bd Reviewed-on: https://review.coreboot.org/c/coreboot/+/57525 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
parent
615cdfcdb9
commit
8edbba4cc4
|
@ -54,7 +54,8 @@ cb_err_t cbfs_walk(cbfs_dev_t dev, cb_err_t (*walker)(cbfs_dev_t dev, size_t off
|
||||||
if (data_offset > sizeof(mdata) || data_length > devsize ||
|
if (data_offset > sizeof(mdata) || data_length > devsize ||
|
||||||
offset + data_offset + data_length > devsize) {
|
offset + data_offset + data_length > devsize) {
|
||||||
ERROR("File @%#zx too large\n", offset);
|
ERROR("File @%#zx too large\n", offset);
|
||||||
goto next_file;
|
offset += CBFS_ALIGNMENT;
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (empty && !(flags & CBFS_WALK_INCLUDE_EMPTY))
|
if (empty && !(flags & CBFS_WALK_INCLUDE_EMPTY))
|
||||||
|
|
Loading…
Reference in New Issue