cbfstool: Fix CBFS header buffer overflow
In the unlikely but possible event where the name of the CBFS file is longer than 232 characters, `cbfs_create_file_header()' would overflow the buffer it allocated when it copies the CBFS filename. Change-Id: If1825b5af21f7a20ce2a7ccb2d45b195c2fb67b0 Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/78500 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Eric Lai <ericllai@google.com> Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
committed by
Matt DeVillier
parent
3e57c57480
commit
66df100930
@@ -650,6 +650,8 @@ static int cbfs_add_integer_component(const char *name,
|
||||
|
||||
header = cbfs_create_file_header(CBFS_TYPE_RAW,
|
||||
buffer.size, name);
|
||||
if (!header)
|
||||
goto done;
|
||||
|
||||
enum vb2_hash_algorithm algo = get_mh_cache()->cbfs_hash.algo;
|
||||
if (algo != VB2_HASH_INVALID)
|
||||
@@ -774,6 +776,8 @@ static int cbfs_add_master_header(void)
|
||||
/* Never add a hash attribute to the master header. */
|
||||
header = cbfs_create_file_header(CBFS_TYPE_CBFSHEADER,
|
||||
buffer_size(&buffer), name);
|
||||
if (!header)
|
||||
goto done;
|
||||
if (cbfs_add_entry(&image, &buffer, 0, header, 0) != 0) {
|
||||
ERROR("Failed to add cbfs master header into ROM image.\n");
|
||||
goto done;
|
||||
@@ -915,6 +919,8 @@ static int cbfs_add_component(const char *filename,
|
||||
|
||||
struct cbfs_file *header =
|
||||
cbfs_create_file_header(param.type, buffer.size, name);
|
||||
if (!header)
|
||||
goto error;
|
||||
|
||||
/* Bootblock and CBFS header should never have file hashes. When adding
|
||||
the bootblock it is important that we *don't* look up the metadata
|
||||
|
Reference in New Issue
Block a user