Hi Michael,
Thank you for pointing out the potential issue.
Here is the fix for it.
Fix the potential segmentation fault in find_mle_hdr,
when size%sizeof(uuid_t)!=0 where size is unsigned long.
Signed-off-by: Shane Wang <shane.w...@intel.com>
diff -r ad96c7e8bf5a lcptools/mlehash.c
--- a/lcptools/mlehash.c Tue Jul 21 17:22:14 2009 -0700
+++ b/lcptools/mlehash.c Tue Jul 21 17:57:57 2009 -0700
@@ -308,11 +308,13 @@ error:
static mle_hdr_t *find_mle_hdr(void *start, size_t size)
{
- while ( size > 0 ) {
+ void *end;
+
+ end = start + size - sizeof(uuid_t);
+ while ( start <= end ) {
if ( are_uuids_equal((const uuid_t *)start,
&((uuid_t)MLE_HDR_UUID)) )
return (mle_hdr_t *)start;
start += sizeof(uuid_t);
- size -= sizeof(uuid_t);
}
return NULL;
}
Thanks.
Shane
Michael Gissing wrote:
> Hi!
>
> This is just a minor issue, but I want to share it with you ;-)
>
> file mlehash.c, line 311:
> size is a size_t (typedefed unsigned long), so if "size%sizeof(uuid_t)
> != 0", size will _always_ be >0, the loop won't exit and you'll get a
> segfault.
>
> I've got a question too: How do you ensure that the uuid we are
> searching for is always alligned to sizeof(uuid_t) stepping?
>
> greetz
> Michael
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited time,
> vendors submitting new applications to BlackBerry App World(TM) will have
> the opportunity to enter the BlackBerry Developer Challenge. See full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> tboot-devel mailing list
> tboot-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tboot-devel
------------------------------------------------------------------------------
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
