efi_loader: avoid buffer overrun in efi_var_restore()

The value of buf->length comes from outside U-Boot and may be incorrect. We must avoid to overrun our internal buffer for excessive values. If buf->length is shorter than the variable file header, the variable file is invalid. Reviewed-by: Ilias Apalodimas <[email protected]> Tested-by: Michal Simek <[email protected]> Signed-off-by: Heinrich Schuchardt <[email protected]>
author: Heinrich Schuchardt <[email protected]> 2026-03-11 18:30:33 +0100
committer: Heinrich Schuchardt <[email protected]> 2026-03-14 08:14:01 +0100
commit: a9080e600c214bbff331f95136aa26e7cfbe3375 (patch)
tree: b7ad730b1fe85382aaa461c149ac4d152e1c1032 /lib
parent: 41be502c1c4ac5d2732e9ae278480b9c73405e49 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/efi_loader/efi_var_common.c b/lib/efi_loader/efi_var_common.c
index 5ea1688dca3..c89a4fce4ff 100644
--- a/lib/efi_loader/efi_var_common.c
+++ b/lib/efi_loader/efi_var_common.c
@@ -497,6 +497,8 @@ efi_status_t efi_var_restore(struct efi_var_file *buf, bool safe)
 	efi_status_t ret;
 
 	if (buf->reserved || buf->magic != EFI_VAR_FILE_MAGIC ||
+	    buf->length > EFI_VAR_BUF_SIZE ||
+	    buf->length < sizeof(struct efi_var_file) ||
 	    buf->crc32 != crc32(0, (u8 *)buf->var,
 				buf->length - sizeof(struct efi_var_file))) {
 		log_err("Invalid EFI variables file\n");
author	Heinrich Schuchardt <[email protected]>	2026-03-11 18:30:33 +0100
committer	Heinrich Schuchardt <[email protected]>	2026-03-14 08:14:01 +0100
commit	a9080e600c214bbff331f95136aa26e7cfbe3375 (patch)
tree	b7ad730b1fe85382aaa461c149ac4d152e1c1032 /lib
parent	41be502c1c4ac5d2732e9ae278480b9c73405e49 (diff)