From 9747ca415125e3193e0df7a6bac1bbdab259379c Mon Sep 17 00:00:00 2001
From: Leah Rowe <leah@libreboot.org>
Date: Tue, 10 Mar 2026 05:33:12 +0000
Subject: util/nvmutil: abort if I/O len exceeds SSIZE_MAX

in rw_file_exact

otherwise, if length exceeds SSIZE_MAX, we could
hit an overflow

the buffers and lengths we deal with are relatively
small anyway, so this fix is preventative

Signed-off-by: Leah Rowe <leah@libreboot.org>
---
 util/nvmutil/nvmutil.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'util/nvmutil/nvmutil.c')

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index a6790f86..160981ad 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -267,6 +267,10 @@ static const char *mac_str;
 static const char *fname;
 static const char *argv0;
 
+#ifndef SSIZE_MAX
+#define SSIZE_MAX ((ssize_t)((size_t)-1 >> 1))
+#endif
+
 /*
  * Use these for .invert in command[]:
  * If set to 1: read/write inverter (p0->p1, p1->p0)
@@ -1327,6 +1331,10 @@ rw_file_exact(int fd, uint8_t *mem, size_t len,
 		err(EIO, "%s: %s: Bad fd %d", path, rw_type_str, fd);
 	if (!len)
 		err(EIO, "%s: %s: Zero length", path, rw_type_str);
+	if (len > (size_t)SSIZE_MAX)
+		err(EIO,
+		    "%s: %s: Requested length (%zu) exceeds SSIZE_MAX (%zd)",
+		    path, rw_type_str, len, SSIZE_MAX);
 
 	for (rc = 0; rc != (ssize_t)len; rc += rval) {
 		if (rw_type == PSCHREIB)
-- 
cgit v1.2.1