From d9acbc4cd0e985b02bc0f22b12aeddd8e8ec8318 Mon Sep 17 00:00:00 2001
From: Zdenek Styblik <stybla@turnovfree.net>
Date: Sun, 4 Jan 2015 14:58:37 +0100
Subject: [PATCH] ID:358 - check data length in else branch of ipmi_spd_print()

Commit adds data length check into '} else {' branch of ipmi_spd_print() in
order to avoid out-of-bound access.
---
 lib/dimm_spd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
index 245599d..1b0eec8 100644
--- a/lib/dimm_spd.c
+++ b/lib/dimm_spd.c
@@ -950,6 +950,9 @@ ipmi_spd_print(uint8_t *spd_data, int len)
 	}
 	else
 	{
+		if (len < 100) {
+			return (-1);
+		}
 		ii = (spd_data[3] & 0x0f) + (spd_data[4] & 0x0f) - 17;
 		k = ((spd_data[5] & 0x7) + 1) * spd_data[17];