smbios: avoid integer overflow when adding SMBIOS type 0 table

SeaBIOS implements the SMBIOS 2.1 entry point which is limited to a
maximum length of 0xffff. If the SMBIOS data received from QEMU is large
enough, then adding the type 0 table will cause integer overflow. This
results in fun behaviour such as KVM crash, or hangs in SeaBIOS.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/fw/biostables.c b/src/fw/biostables.c
index 0c078337a173b3009737fe420b82ab04ab788707..794b5be8334f36d2033355ab64b77e092ed3336c 100644 (file)
--- a/src/fw/biostables.c
+++ b/src/fw/biostables.c
@@ -462,10 +462,16 @@ smbios_romfile_setup(void)
         /* common case: add our own type 0, with 3 strings and 4 '\0's */
         u16 t0_len = sizeof(struct smbios_type_0) + strlen(BIOS_NAME) +
                      strlen(VERSION) + strlen(BIOS_DATE) + 4;
-        ep.structure_table_length += t0_len;
-        if (t0_len > ep.max_structure_size)
-            ep.max_structure_size = t0_len;
-        ep.number_of_structures++;
+        if (t0_len > (0xffff - ep.structure_table_length)) {
+            dprintf(1, "Insufficient space (%d bytes) to add SMBIOS type 0 table (%d bytes)\n",
+                    0xffff - ep.structure_table_length, t0_len);
+            need_t0 = 0;
+        } else {
+            ep.structure_table_length += t0_len;
+            if (t0_len > ep.max_structure_size)
+                ep.max_structure_size = t0_len;
+            ep.number_of_structures++;
+        }
     }
 
     /* allocate final blob and record its address in the entry point */