[PATCH] smbios: Add an explicit bounds check for Type 9 length
Simon Glass
sjg at chromium.org
Sun Apr 12 13:44:25 CEST 2026
Hi Raymond,
On 2026-04-07T20:41:09, Raymond Mao <raymondmaoca at gmail.com> wrote:
> smbios: Add an explicit bounds check for Type 9 length
>
> Fix Coverity Scan defect on Type 9 length.
> Type 9 formatted length is built dynamically from peer_grouping_count.
> Although peer_grouping_count is a byte, the resulting formatted area
> still must fit in the SMBIOS header length field (u8).
> Add an explicit bounds check before extending len, so the size used by
> map_sysmem() and memset() is guaranteed to be valid and consistent
> with hdr.length.
>
> Fixes: a8442c226635 ("smbios: add support for dynamic generation of Type 9 system slot tables")
> Addresses-Coverity-ID: CID 645487: Insecure data handling (TAINTED_SCALAR)
> Signed-off-by: Raymond Mao <raymond.mao at riscstar.com>
>
> lib/smbios.c | 3 +++
> 1 file changed, 3 insertions(+)
> diff --git a/lib/smbios.c b/lib/smbios.c
> @@ -1093,6 +1093,9 @@ static int smbios_write_type9_1slot(ulong *current, int handle,
> + if (len + pgroups_size > U8_MAX)
> + return -EINVAL;
The callers accumulate the return value with 'len +=' so returning a
negative error code will corrupt the total length. The convention in
this file is to return 0 on error.
Having said that, you could perhaps change this.
Regards,
Simon
More information about the U-Boot
mailing list