commit 60d682409ed77cadf4ac3942c256c0fad00d2103
author Michael Brown <mcb30@ipxe.org> Wed Jul 31 16:20:37 2024 +0100
committer Michael Brown <mcb30@ipxe.org> Wed Jul 31 16:20:37 2024 +0100
tree 5534da433a9cb51605ac1ef1a03528d1c2461835
parent 0dc8933f6769e375a645ed4e9053855191cf8170

[smbios] Avoid reading beyond end of constructed SMBIOS setting

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/interface/smbios/smbios_settings.c

diff --git a/src/interface/smbios/smbios_settings.c b/src/interface/smbios/smbios_settings.c
index ec31b43..ca3f2fe 100644
--- a/src/interface/smbios/smbios_settings.c
+++ b/src/interface/smbios/smbios_settings.c
@@ -130,6 +130,13 @@
 			return rc;
 		}
 
+		/* Limit length */
+		if ( tag_offset > sizeof ( buf ) ) {
+			tag_len = 0;
+		} else if ( ( tag_offset + tag_len ) > sizeof ( buf ) ) {
+			tag_len = ( sizeof ( buf ) - tag_offset );
+		}
+
 		/* Mangle UUIDs if necessary.  iPXE treats UUIDs as
 		 * being in network byte order (big-endian).  SMBIOS
 		 * specification version 2.6 states that UUIDs are