[PATCH] smbios: Add an explicit bounds check for Type 9 length
Raymond Mao
raymondmaoca at gmail.com
Tue Apr 7 22:41:09 CEST 2026
From: Raymond Mao <raymond.mao at riscstar.com>
Fix Coverity Scan defect on Type 9 length.
Type 9 formatted length is built dynamically from peer_grouping_count.
Although peer_grouping_count is a byte, the resulting formatted area
still must fit in the SMBIOS header length field (u8).
Add an explicit bounds check before extending len, so the size used by
map_sysmem() and memset() is guaranteed to be valid and consistent
with hdr.length.
Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
Signed-off-by: Raymond Mao <raymond.mao at riscstar.com>
---
lib/smbios.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/smbios.c b/lib/smbios.c
index d5f18c8bd69..18c48b15d2a 100644
--- a/lib/smbios.c
+++ b/lib/smbios.c
@@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
* TODO:
* peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
*/
+ if (len + pgroups_size > U8_MAX)
+ return -EINVAL;
+
len += pgroups_size;
t = map_sysmem(*current, len);
--
2.25.1
More information about the U-Boot
mailing list