diff options
Diffstat (limited to 'lib/dimm_spd.c')
| -rw-r--r-- | lib/dimm_spd.c | 49 | 
1 files changed, 28 insertions, 21 deletions
| diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c index 41e30db..d496184 100644 --- a/lib/dimm_spd.c +++ b/lib/dimm_spd.c @@ -1620,8 +1620,10 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)  	struct ipmi_rs * rsp;  	struct ipmi_rq req;  	struct fru_info fru; -	uint8_t *spd_data, msg_data[4]; -	int len, offset; +	uint8_t *spd_data = NULL; +	uint8_t msg_data[4]; +	uint32_t len, offset; +	int rc = -1;  	msg_data[0] = id; @@ -1632,14 +1634,14 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)  	req.msg.data_len = 1;  	rsp = intf->sendrecv(intf, &req); -	if (rsp == NULL) { +	if (!rsp) {  		printf(" Device not present (No Response)\n"); -		return -1; +		goto end;  	} -	if (rsp->ccode > 0) { +	if (rsp->ccode) {  		printf(" Device not present (%s)\n",  		       val2str(rsp->ccode, completion_code_vals)); -		return -1; +		goto end;  	}  	fru.size = (rsp->data[1] << 8) | rsp->data[0]; @@ -1651,15 +1653,15 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)  	if (fru.size < 1) {  		lprintf(LOG_ERR, " Invalid FRU size %d", fru.size); -		return -1; +		goto end;  	}          spd_data = malloc(fru.size); -        if (spd_data == NULL) { +        if (!spd_data) {  		printf(" Unable to malloc memory for spd array of size=%d\n",  		       fru.size); -		return -1; +		goto end;          }  	memset(&req, 0, sizeof(req)); @@ -1677,34 +1679,39 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)  		msg_data[3] = FRU_DATA_RQST_SIZE;  		rsp = intf->sendrecv(intf, &req); -		if (rsp == NULL) { +		if (!rsp) {  			printf(" Device not present (No Response)\n"); -                        free(spd_data); -                        spd_data = NULL; -			return -1; +			goto end;  		} -		if (rsp->ccode > 0) { +		if (rsp->ccode) {  			printf(" Device not present (%s)\n",  			       val2str(rsp->ccode, completion_code_vals)); -                        free(spd_data); -                        spd_data = NULL;  			/* Timeouts are acceptable. No DIMM in the socket */  			if (rsp->ccode == 0xc3) -				return 1; +				rc = 1; -			return -1; +			goto end;  		}  		len = rsp->data[0]; +		if(rsp->data_len < 1 +		   || len > rsp->data_len - 1 +		   || len > fru.size - offset) +		{ +			printf(" Not enough buffer size"); +			goto end; +		}  		memcpy(&spd_data[offset], rsp->data + 1, len);  		offset += len;  	} while (offset < fru.size);  	/* now print spd info */  	ipmi_spd_print(spd_data, offset); -        free(spd_data); -        spd_data = NULL; +	rc = 0; -	return 0; +end: +	free_n(&spd_data); + +	return rc;  } | 
