multiboot.c: check bounds in debug function dump_tags

rizlik · rizlik · commit 2c2fb726b2ad · 2026-02-27T14:20:28.000+01:00
diff --git a/src/multiboot.c b/src/multiboot.c
@@ -315,17 +315,20 @@ static void mb2_parse_info_request_tag(void* tag) {
     }
 }
 
-static void mb2_dump_tags(void* mbTags) {
+static void mb2_dump_tags(void* mbTags, uint32_t tags_len) {
     struct mb2_tag* tag = (struct  mb2_tag*)mbTags;
+    uint8_t *end = (uint8_t*)mbTags + tags_len;
 
-    while (tag->type != 0) {
+    while ((uint8_t*)tag + sizeof(*tag) <= end && tag->type != 0) {
         MB2_DEBUG_PRINTF("Tag Type: %u\r\n", tag->type);
         MB2_DEBUG_PRINTF("Tag Flags: 0x%x\r\n", tag->flags);
         MB2_DEBUG_PRINTF("Tag Size: %u\r\n", tag->size);
 
         if (tag->type == MB2_TAG_TYPE_INFO_REQ)
             mb2_parse_info_request_tag(tag);
 
+        if (tag->size < sizeof(*tag))
+            break;
         tag = (struct mb2_tag*)mb2_align_address_up((uint8_t*)tag + tag->size,
                                                     8);
     }
@@ -341,7 +344,9 @@ static void mb2_dump_header(void* mbHeader) {
     MB2_DEBUG_PRINTF("Checksum: 0x%x\r\n", header->checksum);
 
     tags = (uint8_t*)header + sizeof(*header);
-    mb2_dump_tags(tags);
+    if (header->header_length < sizeof(struct mb2_header))
+        MB2_DEBUG_PRINTF("Invalid header length\r\n");
+    mb2_dump_tags(tags, header->header_length - sizeof(*header));
 }
 #endif /* DEBUG_MB2 */
 
