From 9ac49ee6b361f77eecb94da83fcee41212dadac4 Mon Sep 17 00:00:00 2001
From: Noe Rubinstein <nrubinstein@avencall.com>
Date: Mon, 22 Oct 2012 20:35:06 +0200
Subject: Fix use after free

---
 build_rom.c | 46 ++++++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/build_rom.c b/build_rom.c
index c898af7..36b4af0 100644
--- a/build_rom.c
+++ b/build_rom.c
@@ -63,7 +63,7 @@ void dump_xioh_data(const struct xioh_data *xioh_data);
 void write_xioh_data(const char *fname, const struct xioh_data *xioh_data);
 void write_standalone(const char *fname, const struct xioh_data *xioh_data);
 uint8_t cksum(const uint8_t* addr, size_t sz);
-const struct xioh_data* get_xioh_data(char *fname, int serial);
+void get_xioh_data(char *fname, int serial, struct xioh_data *xioh_data);
 
 int rand_range(int max) { return (int)(rand()/(double)RAND_MAX*max); }
 unsigned date(void) { return time(NULL) / 86400; }
@@ -71,9 +71,9 @@ unsigned date(void) { return time(NULL) / 86400; }
 static char *next_serial = "next_serial.txt";
 
 #ifdef OLD_DB_FORMAT
-static char *db = "db.bin";
+static char *dbf = "db.bin";
 #else
-static char *db = "db.sqlite";
+static char *dbf = "db.sqlite";
 #endif
 
 static void print_usage(char *name)
@@ -97,7 +97,6 @@ static void print_usage(char *name)
 int main(int argc, char *argv[])
 {
 	struct xioh_data xioh_data;
-	const struct xioh_data *xioh_data_p = &xioh_data;
 
 	int i;
 	char *fname = "coreboot.rom";
@@ -122,7 +121,7 @@ int main(int argc, char *argv[])
 			standalone = optarg;
 			break;
 		case 'd':
-			db = optarg;
+			dbf = optarg;
 			break;
 		case 'S':
 			next_serial = optarg;
@@ -164,7 +163,7 @@ int main(int argc, char *argv[])
 	case CONTINUOUS:
 		for(i = 1; i < MAC_NUM; i++)
 			do xioh_data.addr[i].n = xioh_data.addr[i-1].n + 1;
-			while (mac_used(db, &xioh_data.addr[i]));
+			while (mac_used(dbf, &xioh_data.addr[i]));
 		break;
 	case RANDOM:
 		if (!(hasfrom && hasto)) {
@@ -174,7 +173,7 @@ int main(int argc, char *argv[])
 		choose_macs(from, to, &xioh_data);
 		break;
 	case REFLASH:
-		xioh_data_p = get_xioh_data(db, serial_number);
+		get_xioh_data(dbf, serial_number, &xioh_data);
 		break;
 	case MODE_UNSET:
 		print_usage(argv[0]);
@@ -195,15 +194,15 @@ int main(int argc, char *argv[])
 
 	}
 
-	dump_xioh_data(xioh_data_p);
+	dump_xioh_data(&xioh_data);
 
 	if (standalone)
-		write_standalone(standalone, xioh_data_p);
+		write_standalone(standalone, &xioh_data);
 	else
-		write_xioh_data(fname, xioh_data_p);
+		write_xioh_data(fname, &xioh_data);
 
 	if (mode != REFLASH)
-		record_use(db, &xioh_data);
+		record_use(dbf, &xioh_data);
 
 	return 0;
 }
@@ -284,7 +283,7 @@ retry:		xioh_data->addr[i] = mac_between(from, to);
 			if (xioh_data->addr[i].n == xioh_data->addr[j].n)
 				goto retry;
 
-		if (mac_used(db, &xioh_data->addr[i]))
+		if (mac_used(dbf, &xioh_data->addr[i]))
 			goto retry;
 	}
 }
@@ -295,7 +294,7 @@ void write_serial(struct serial *serial, int serial_number)
 	serial->version = XIOH_HARDWARE_VERSION;
 	if (serial_number < 0) {
 		serial->number = get_next_serial();
-	} else if (serial_used(db, serial_number)) {
+	} else if (serial_used(dbf, serial_number)) {
 		fprintf(stderr, "Serial number %d already used!\n", serial_number);
 		exit(2);
 	} else {
@@ -323,7 +322,7 @@ unsigned get_next_serial(void)
 		fclose(f);
 	}
 
-	while (serial_used(db, cur)) {
+	while (serial_used(dbf, cur)) {
 		fprintf(stderr, "Serial number %d already used! Trying %d.\n", cur, cur+1);
 		cur++;
 	}
@@ -333,12 +332,13 @@ unsigned get_next_serial(void)
 	return cur;
 }
 
-const struct xioh_data* get_xioh_data(char *fname, int serial) {
+void get_xioh_data(char *fname, int serial, struct xioh_data *xioh_data) {
 	sqlite3 *db;
 	sqlite3_stmt *stmt;
 	int rc;
-	const struct xioh_data* res = NULL;
+	const struct xioh_data *db_data = NULL;
 
+	printf("%s\n", fname);
 	rc = sqlite3_open(fname, &db);
 	if (SQLITE_OK != rc) {
 		fprintf(stderr, "could not open sqlite database \"%s\" "
@@ -361,7 +361,15 @@ const struct xioh_data* get_xioh_data(char *fname, int serial) {
 
 	switch (rc) {
 	case SQLITE_ROW:
-		res = sqlite3_column_blob(stmt, 0);
+		db_data = sqlite3_column_blob(stmt, 0);
+		if (sqlite3_column_bytes(stmt, 0) != sizeof(*xioh_data)) {
+			fprintf(stderr, "Blob size mismatch! (%d should be %d)\n",
+					sqlite3_column_bytes(stmt, 0),
+					sizeof(*xioh_data));
+			db_data = NULL;
+			goto prepared;
+		}
+		memcpy(xioh_data, db_data, sizeof(*xioh_data));
 		break;
 	case SQLITE_DONE:
 		fprintf(stderr, "No data for serial number %d\n", serial);
@@ -376,9 +384,7 @@ prepared: \
 opened: \
 	sqlite3_close(db); \
 
-	if (res)
-		return res;
-	else
+	if (!db_data)
 		exit(1);
 }
 
-- 
cgit v1.2.3