14 Mar
2021
14 Mar
'21
8:32 a.m.
On Sun, Mar 14, 2021 at 08:19:49AM +0100, Heinrich Schuchardt wrote:
Caller must free the returned value
[...]
- */
+struct +efi_device_path *efi_dp_from_lo(struct efi_load_option *lo,
efi_uintn_t *size, efi_guid_t guid)+{
- struct efi_device_path *fp = lo->file_path;
- struct efi_device_path_vendor *vendor;
- int lo_len = lo->file_path_length;
- for (; lo_len >= sizeof(struct efi_device_path);
lo_len -= fp->length, fp = (void *)fp + fp->length) {if (fp->type != DEVICE_PATH_TYPE_MEDIA_DEVICE ||fp->sub_type != DEVICE_PATH_SUB_TYPE_VENDOR_PATH)continue;The device path is provided by the user and may be constructed incorrectly.
lo_len might be negative here. Or the remaining device path might not fit into lo_len.
Function efi_dp_check_length() can be used to check the size but it currently accepts only positive values of maxlen. Maybe we should change the type of maxlen to ssize() in that function.
Yea, I forgot to fix this one.
Regards /Ilias
Best regards
Heinrich
vendor = (struct efi_device_path_vendor *)fp;if (!guidcmp(&vendor->guid, &guid))return efi_dp_dup(fp);- }
- log_debug("VenMedia(%pUl) not found in %ls\n", &guid, lo->label);
- return NULL;
+}