mirror of
https://github.com/CTCaer/switch-l4t-atf.git
synced 2024-11-23 09:49:39 +00:00
d0d642450f
The function read_uuid() zeroes the UUID destination buffer on error. However, it mistakenly uses the dest pointer that has been incremented many times during the parsing, leading to an out-of-bounds write. To fix this, retain a pointer to the start of the buffer, and use this when clearing it instead. Signed-off-by: David Horstmann <david.horstmann@arm.com> Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306
135 lines
2.4 KiB
C
135 lines
2.4 KiB
C
/*
|
|
* Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
|
|
#include <assert.h>
|
|
#include <errno.h>
|
|
#include <stdint.h>
|
|
#include <string.h>
|
|
|
|
#include <common/debug.h>
|
|
#include <common/uuid.h>
|
|
|
|
/* Return the hex nibble value of a char */
|
|
static int8_t hex_val(char hex)
|
|
{
|
|
int8_t val = 0;
|
|
|
|
if ((hex >= '0') && (hex <= '9')) {
|
|
val = (int8_t)(hex - '0');
|
|
} else if ((hex >= 'a') && (hex <= 'f')) {
|
|
val = (int8_t)(hex - 'a' + 0xa);
|
|
} else if ((hex >= 'A') && (hex <= 'F')) {
|
|
val = (int8_t)(hex - 'A' + 0xa);
|
|
} else {
|
|
val = -1;
|
|
}
|
|
|
|
return val;
|
|
}
|
|
|
|
/*
|
|
* Read hex_src_len hex characters from hex_src, convert to bytes and
|
|
* store in buffer pointed to by dest
|
|
*/
|
|
static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len)
|
|
{
|
|
int8_t nibble;
|
|
uint8_t byte;
|
|
|
|
/*
|
|
* The string length must be a multiple of 2 to represent an
|
|
* exact number of bytes.
|
|
*/
|
|
assert((hex_src_len % 2U) == 0U);
|
|
|
|
for (unsigned int i = 0U; i < (hex_src_len / 2U); i++) {
|
|
nibble = 0;
|
|
byte = 0U;
|
|
|
|
nibble = hex_val(hex_src[2U * i]);
|
|
if (nibble < 0) {
|
|
return -1;
|
|
}
|
|
byte = (uint8_t)nibble;
|
|
byte <<= 4U;
|
|
|
|
nibble = hex_val(hex_src[(2U * i) + 1U]);
|
|
if (nibble < 0) {
|
|
return -1;
|
|
}
|
|
byte |= (uint8_t)nibble;
|
|
|
|
*dest = byte;
|
|
dest++;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Parse UUIDs of the form aabbccdd-eeff-4099-8877-665544332211 */
|
|
int read_uuid(uint8_t *dest, char *uuid)
|
|
{
|
|
int err;
|
|
uint8_t *dest_start = dest;
|
|
|
|
/* Check that we have enough characters */
|
|
if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
|
|
WARN("UUID string is too short\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* aabbccdd */
|
|
err = read_hex(dest, uuid, 8);
|
|
uuid += 8;
|
|
dest += 4;
|
|
|
|
/* Check for '-' */
|
|
err |= ((*uuid == '-') ? 0 : -1);
|
|
uuid++;
|
|
|
|
/* eeff */
|
|
err |= read_hex(dest, uuid, 4);
|
|
uuid += 4;
|
|
dest += 2;
|
|
|
|
/* Check for '-' */
|
|
err |= ((*uuid == '-') ? 0 : -1);
|
|
uuid++;
|
|
|
|
/* 4099 */
|
|
err |= read_hex(dest, uuid, 4);
|
|
uuid += 4;
|
|
dest += 2;
|
|
|
|
/* Check for '-' */
|
|
err |= ((*uuid == '-') ? 0 : -1);
|
|
uuid++;
|
|
|
|
/* 8877 */
|
|
err |= read_hex(dest, uuid, 4);
|
|
uuid += 4;
|
|
dest += 2;
|
|
|
|
/* Check for '-' */
|
|
err |= ((*uuid == '-') ? 0 : -1);
|
|
uuid++;
|
|
|
|
/* 665544332211 */
|
|
err |= read_hex(dest, uuid, 12);
|
|
uuid += 12;
|
|
dest += 6;
|
|
|
|
if (err < 0) {
|
|
WARN("Error parsing UUID\n");
|
|
/* Clear the buffer on error */
|
|
memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|