From e7e36b90305d2e867259ba428512f02c1c11a0d8 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 10 Oct 2018 14:54:05 +0200
Subject: [PATCH] efivars: check path_len before using it as loop boundary

---
 src/shared/efivars.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/shared/efivars.c b/src/shared/efivars.c
index 3931bee559..da70e68c81 100644
--- a/src/shared/efivars.c
+++ b/src/shared/efivars.c
@@ -412,9 +412,13 @@ int efi_get_boot_option(
 
         if (header->path_len > 0) {
                 uint8_t *dbuf;
-                size_t dnext;
+                size_t dnext, doff;
+
+                doff = offsetof(struct boot_option, title) + title_size;
+                dbuf = buf + doff;
+                if (header->path_len > l - doff)
+                        return -EINVAL;
 
-                dbuf = buf + offsetof(struct boot_option, title) + title_size;
                 dnext = 0;
                 while (dnext < header->path_len) {
                         struct device_path *dpath;