Fix first fuzzing bug! Don't allow NullName as a full NameString

The spec isn't clear about this, but in the library we assume that an `AmlName` is not empty. However, if a NullName appears as the only element of a NamePath, we can accidently create an empty AmlName when we parse a NameString. This has never come up in real tables, but was detected during fuzzing as breaking a whole bunch of stuff in the namespace searching (due to the assumptions about AmlName being broken).
rust-osdev · Nov 12, 2020 · 5647249 · 5647249
1 parent a93cfa2
commit 5647249
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/aml/src/name_object.rs b/aml/src/name_object.rs
@@ -99,7 +99,15 @@ where
         match first_char {
             ROOT_CHAR => root_name_string.parse(input, context),
             PREFIX_CHAR => prefix_path.parse(input, context),
-            _ => name_path().map(|path| Ok(AmlName(path))).parse(input, context),
+            _ => name_path()
+                .map(|path| {
+                    if path.len() == 0 {
+                        return Err(AmlError::EmptyNamesAreInvalid);
+                    }
+
+                    Ok(AmlName(path))
+                })
+                .parse(input, context),
         }
     })
 }
@@ -125,8 +133,6 @@ where
 {
     /*
      * NullName := 0x00
-     *
-     * This doesn't actually allocate because the `Vec`'s capacity is zero.
      */
     opcode(NULL_NAME).map(|_| Ok(Vec::with_capacity(0)))
 }