:: commit c54d7a2f13207a2ea449ac4ab8d847a1bf57cdd3
protos/multiboot2: Bound information_request tag size to header area
diff --git a/common/protos/multiboot2.c b/common/protos/multiboot2.c
index b7ec894a..15871117 100644
--- a/common/protos/multiboot2.c
+++ b/common/protos/multiboot2.c
@@ -164,6 +164,10 @@ noreturn void multiboot2_load(char *config, char* cmdline) {
if (request->size < sizeof(struct multiboot_header_tag_information_request)) {
panic(true, "multiboot2: Invalid information request tag size");
}
+ size_t tag_remaining = (uintptr_t)header + header->header_length - (uintptr_t)tag;
+ if (request->size > tag_remaining) {
+ panic(true, "multiboot2: Information request tag exceeds header bounds");
+ }
uint32_t size = (request->size - sizeof(struct multiboot_header_tag_information_request)) / sizeof(uint32_t);
for (uint32_t i = 0; i < size; i++) {
