Then, amt_host_if_call allocates acmd->mei_cl.buf_size bytes for what ends up being casted to an amt_host_if_resp_header. amt_get_code_versions ends up doing:
which looks like it's copying a huge amount of bytes from the response buffer. Shouldn't that be copying just acmd->mei_cl.buf_size bytes? In any case, this all seems to work since otherwise the check for
response_size != (resp_hdr->length + sizeof(struct amt_host_if_msg_header) at amt_verify_response_header would fail.
INTEL-SA-00075-Discovery-Tool.c defines
amt_code_versions
as:where
AMT_VERSIONS_NUMBER
is set to 50. Where does this value come from? Can we really have 50 different versions for a piece of AMT code?Furthermore, we have the following:
Then,
amt_host_if_call
allocatesacmd->mei_cl.buf_size
bytes for what ends up being casted to anamt_host_if_resp_header
.amt_get_code_versions
ends up doing:memcpy(versions, response->data, sizeof(struct amt_code_versions));
which looks like it's copying a huge amount of bytes from the response buffer. Shouldn't that be copying just
acmd->mei_cl.buf_size
bytes? In any case, this all seems to work since otherwise the check forresponse_size != (resp_hdr->length + sizeof(struct amt_host_if_msg_header)
atamt_verify_response_header
would fail.