Skip to content

Commit 0e7bebc

Browse files
marta-lewandowskamarta-lewandowska
committed
Fix stack overflow caused by infinite recursion
If an EFI device path node has 0 length, loop will never terminate. Resolves: bz#2459982 Resolves: CVE-2026-6862 Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
1 parent d7f5527 commit 0e7bebc

2 files changed

Lines changed: 3 additions & 1 deletion

File tree

src/include/efivar/efivar-dp.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1122,6 +1122,8 @@ efidp_is_valid(const_efidp dp, ssize_t limit)
11221122
efidp_header *next;
11231123
if (limit < (int64_t)(sizeof (efidp_header)))
11241124
return 0;
1125+
if (hdr->length < 4)
1126+
return 0;
11251127

11261128
switch (hdr->type) {
11271129
case EFIDP_HARDWARE_TYPE:

src/loadopt.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@ efi_loadopt_optional_data_size(efi_load_option *opt, size_t size)
138138
}
139139
for (sz = 0; sz < opt->file_path_list_length;
140140
sz += efidp_size((const_efidp)(p + sz)))
141-
;
141+
;
142142
if (sz != opt->file_path_list_length) {
143143
efi_error("size does not match file path size (%zd/%d)",
144144
sz, opt->file_path_list_length);

0 commit comments

Comments
 (0)