From: Laurent Licour Date: Wed, 7 Jul 2010 18:53:22 +0000 (+0200) Subject: DMI: Fixing memory mgmnt in dmi_memory_module_types X-Git-Tag: syslinux-4.02-pre1~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5c558dba97becf9d56a26a17f0cff96f780cf67d;p=platform%2Fupstream%2Fsyslinux.git DMI: Fixing memory mgmnt in dmi_memory_module_types In some case, dmi_memory_module_types could read the entire memory as a result of a bogus snprintf usage. --- diff --git a/com32/gplinclude/dmi/dmi_memory.h b/com32/gplinclude/dmi/dmi_memory.h index 47ad7fc..4d0ad44 100644 --- a/com32/gplinclude/dmi/dmi_memory.h +++ b/com32/gplinclude/dmi/dmi_memory.h @@ -66,12 +66,12 @@ void dmi_memory_device_size(uint16_t code, char *size); const char *dmi_memory_device_form_factor(uint8_t code); void dmi_memory_device_set(uint8_t code, char *set); const char *dmi_memory_device_type(uint8_t code); -void dmi_memory_device_type_detail(uint16_t code, char *type_detail); +void dmi_memory_device_type_detail(uint16_t code, char *type_detail, int sizeof_type_detail); void dmi_memory_device_speed(uint16_t code, char *speed); -void dmi_memory_module_connections(uint8_t, char *); +void dmi_memory_module_connections(uint8_t, char *, int); void dmi_memory_module_speed(uint8_t, char *); -void dmi_memory_module_types(uint16_t, const char *, char *); -void dmi_memory_module_size(uint8_t, char *); +void dmi_memory_module_types(uint16_t, const char *, char *, int); +void dmi_memory_module_size(uint8_t, char *, int); void dmi_memory_module_error(uint8_t, const char *, char *); #endif diff --git a/com32/gpllib/dmi/dmi.c b/com32/gpllib/dmi/dmi.c index cd72fbb..507b11a 100644 --- a/com32/gpllib/dmi/dmi.c +++ b/com32/gpllib/dmi/dmi.c @@ -516,6 +516,8 @@ int dmi_iterate(s_dmi * dmi) int found = 0; /* Cleaning structures */ + memset(dmi, 0, sizeof(s_dmi)); + memset(&dmi->base_board, 0, sizeof(s_base_board)); memset(&dmi->battery, 0, sizeof(s_battery)); memset(&dmi->bios, 0, sizeof(s_bios)); @@ -751,11 +753,11 @@ void dmi_decode(struct dmi_header *h, uint16_t ver, s_dmi * dmi) dmi->memory_module[dmi->memory_module_count - 1].filled = true; strlcpy(module->socket_designation, dmi_string(h, data[0x04]), sizeof(module->socket_designation)); - dmi_memory_module_connections(data[0x05], module->bank_connections); + dmi_memory_module_connections(data[0x05], module->bank_connections, sizeof(module->bank_connections)); dmi_memory_module_speed(data[0x06], module->speed); - dmi_memory_module_types(WORD(data + 0x07), " ", module->type); - dmi_memory_module_size(data[0x09], module->installed_size); - dmi_memory_module_size(data[0x0A], module->enabled_size); + dmi_memory_module_types(WORD(data + 0x07), " ", module->type, sizeof(module->type)); + dmi_memory_module_size(data[0x09], module->installed_size, sizeof(module->installed_size)); + dmi_memory_module_size(data[0x0A], module->enabled_size, sizeof(module->enabled_size)); dmi_memory_module_error(data[0x0B], "\t\t", module->error_status); break; case 7: /* 3.3.8 Cache Information */ @@ -836,7 +838,7 @@ void dmi_decode(struct dmi_header *h, uint16_t ver, s_dmi * dmi) sizeof(mem->bank_locator)); strlcpy(mem->type, dmi_memory_device_type(data[0x12]), sizeof(mem->type)); - dmi_memory_device_type_detail(WORD(data + 0x13), mem->type_detail); + dmi_memory_device_type_detail(WORD(data + 0x13), mem->type_detail, sizeof(mem->type_detail)); if (h->length < 0x17) break; dmi_memory_device_speed(WORD(data + 0x15), mem->speed); diff --git a/com32/gpllib/dmi/dmi_memory.c b/com32/gpllib/dmi/dmi_memory.c index a1f2b44..2145829 100644 --- a/com32/gpllib/dmi/dmi_memory.c +++ b/com32/gpllib/dmi/dmi_memory.c @@ -132,7 +132,7 @@ const char *dmi_memory_device_type(uint8_t code) return out_of_spec; } -void dmi_memory_device_type_detail(uint16_t code, char *type_detail) +void dmi_memory_device_type_detail(uint16_t code, char *type_detail, int sizeof_type_detail) { /* 3.3.18.3 */ static const char *detail[] = { @@ -157,7 +157,7 @@ void dmi_memory_device_type_detail(uint16_t code, char *type_detail) for (i = 1; i <= 12; i++) if (code & (1 << i)) - snprintf(type_detail,sizeof(type_detail), "%s", detail[i - 1]); + snprintf(type_detail, sizeof_type_detail, "%s", detail[i - 1]); } } @@ -173,7 +173,7 @@ void dmi_memory_device_speed(uint16_t code, char *speed) * 3.3.7 Memory Module Information (Type 6) */ -void dmi_memory_module_types(uint16_t code, const char *sep, char *type) +void dmi_memory_module_types(uint16_t code, const char *sep, char *type, int sizeof_type) { /* 3.3.7.1 */ static const char *types[] = { @@ -197,11 +197,11 @@ void dmi_memory_module_types(uint16_t code, const char *sep, char *type) for (i = 0; i <= 10; i++) if (code & (1 << i)) - snprintf(type,sizeof(type), "%s%s%s", type, sep, types[i]); + snprintf(type, sizeof_type, "%s%s%s", type, sep, types[i]); } } -void dmi_memory_module_connections(uint8_t code, char *connection) +void dmi_memory_module_connections(uint8_t code, char *connection, int sizeof_connection) { if (code == 0xFF) sprintf(connection, "%s", "None"); @@ -209,7 +209,7 @@ void dmi_memory_module_connections(uint8_t code, char *connection) if ((code & 0xF0) != 0xF0) sprintf(connection, "%u ", code >> 4); if ((code & 0x0F) != 0x0F) - snprintf(connection,sizeof(connection), "%s%u", connection, code & 0x0F); + snprintf(connection, sizeof_connection, "%s%u", connection, code & 0x0F); } } @@ -221,7 +221,7 @@ void dmi_memory_module_speed(uint8_t code, char *speed) sprintf(speed, "%u ns", code); } -void dmi_memory_module_size(uint8_t code, char *size) +void dmi_memory_module_size(uint8_t code, char *size, int sizeof_size) { /* 3.3.7.2 */ switch (code & 0x7F) { @@ -239,9 +239,9 @@ void dmi_memory_module_size(uint8_t code, char *size) } if (code & 0x80) - snprintf(size,sizeof(size),"%s %s", size, "(Double-bank Connection)"); + snprintf(size, sizeof_size, "%s %s", size, "(Double-bank Connection)"); else - snprintf(size,sizeof(size), "%s %s", size, "(Single-bank Connection)"); + snprintf(size, sizeof_size, "%s %s", size, "(Single-bank Connection)"); } void dmi_memory_module_error(uint8_t code, const char *prefix, char *error)