On Sun, Mar 14, 2021 at 08:19:49AM +0100, Heinrich Schuchardt wrote:
> > + * Caller must free the returned value
[...]
> > + */
> > +struct
> > +efi_device_path *efi_dp_from_lo(struct efi_load_option *lo,
> > + efi_uintn_t *size, efi_guid_t guid)
> > +{
> > + struct efi_device_path *fp = lo->file_path;
> > + struct efi_device_path_vendor *vendor;
> > + int lo_len = lo->file_path_length;
> > +
> > + for (; lo_len >= sizeof(struct efi_device_path);
> > + lo_len -= fp->length, fp = (void *)fp + fp->length) {
> > + if (fp->type != DEVICE_PATH_TYPE_MEDIA_DEVICE ||
> > + fp->sub_type != DEVICE_PATH_SUB_TYPE_VENDOR_PATH)
> > + continue;
>
> The device path is provided by the user and may be constructed incorrectly.
>
> lo_len might be negative here. Or the remaining device path might not
> fit into lo_len.
>
> Function efi_dp_check_length() can be used to check the size but it
> currently accepts only positive values of maxlen. Maybe we should change
> the type of maxlen to ssize() in that function.
>
Yea, I forgot to fix this one.
Regards
/Ilias
> Best regards
>
> Heinrich
>
> > +
> > + vendor = (struct efi_device_path_vendor *)fp;
> > + if (!guidcmp(&vendor->guid, &guid))
> > + return efi_dp_dup(fp);
> > + }
> > + log_debug("VenMedia(%pUl) not found in %ls\n", &guid, lo->label);
> > +
> > + return NULL;
> > +}
> >
>
