efi_loader: device_path: check against file path length

device_path strcuture has 2 bytes of "length" field, and so
file path length should not exceed this limit, 65535.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c
index 897fc1b2e8ac38f57819ab8157da4b968ea7428e..ac5e6f7e14f443978323e93b0eebb22f2fd3ccf6 100644 (file)
--- a/lib/efi_loader/efi_device_path.c
+++ b/lib/efi_loader/efi_device_path.c
@@ -15,6 +15,7 @@
 #include <part.h>
 #include <sandboxblockdev.h>
 #include <asm-generic/unaligned.h>
+#include <linux/compat.h> /* U16_MAX */
 
 #ifdef CONFIG_SANDBOX
 const efi_guid_t efi_guid_host_dev = U_BOOT_HOST_DEV_GUID;
@@ -888,13 +889,16 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part,
 {
        struct efi_device_path_file_path *fp;
        void *buf, *start;
-       unsigned dpsize = 0, fpsize;
+       size_t dpsize = 0, fpsize;
 
        if (desc)
                dpsize = dp_part_size(desc, part);
 
        fpsize = sizeof(struct efi_device_path) +
                 2 * (utf8_utf16_strlen(path) + 1);
+       if (fpsize > U16_MAX)
+               return NULL;
+
        dpsize += fpsize;
 
        start = buf = dp_alloc(dpsize + sizeof(END));
@@ -908,7 +912,7 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc *desc, int part,
        fp = buf;
        fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE;
        fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH;
-       fp->dp.length = fpsize;
+       fp->dp.length = (u16)fpsize;
        path_to_uefi(fp->str, path);
        buf += fpsize;
 
@@ -1070,5 +1074,8 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr,
        *file = efi_dp_from_file(((!is_net && device) ? desc : NULL),
                                 part, filename);
 
+       if (!file)
+               return EFI_INVALID_PARAMETER;
+
        return EFI_SUCCESS;
 }