[smbios] Avoid reading beyond end of constructed SMBIOS setting

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/interface/smbios/smbios_settings.c b/src/interface/smbios/smbios_settings.c
index ec31b43f2c32dc51280fc28d31c7d9dc2e791a0c..ca3f2fe2f9cf53c58f25d016bc5f6f30bc39d0a0 100644 (file)
--- a/src/interface/smbios/smbios_settings.c
+++ b/src/interface/smbios/smbios_settings.c
@@ -130,6 +130,13 @@ static int smbios_fetch ( struct settings *settings __unused,
                        return rc;
                }
 
+               /* Limit length */
+               if ( tag_offset > sizeof ( buf ) ) {
+                       tag_len = 0;
+               } else if ( ( tag_offset + tag_len ) > sizeof ( buf ) ) {
+                       tag_len = ( sizeof ( buf ) - tag_offset );
+               }
+
                /* Mangle UUIDs if necessary.  iPXE treats UUIDs as
                 * being in network byte order (big-endian).  SMBIOS
                 * specification version 2.6 states that UUIDs are