2 files changed, 11 insertions, 0 deletions

diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 3daf7bde7..e3bf9f565 100644
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -389,6 +389,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_efi_autoexec	      ( ERRFILE_OTHER | 0x00540000 )
 #define ERRFILE_efi_cachedhcp	      ( ERRFILE_OTHER | 0x00550000 )
 #define ERRFILE_linux_sysfs	      ( ERRFILE_OTHER | 0x00560000 )
+#define ERRFILE_linux_acpi	      ( ERRFILE_OTHER | 0x00570000 )
 
 /** @} */
 
diff --git a/src/interface/linux/linux_acpi.c b/src/interface/linux/linux_acpi.c
index 851cc54e6..e658936f2 100644
--- a/src/interface/linux/linux_acpi.c
+++ b/src/interface/linux/linux_acpi.c
@@ -57,6 +57,7 @@ static LIST_HEAD ( linux_acpi_tables );
  */
 static userptr_t linux_acpi_find ( uint32_t signature, unsigned int index ) {
 	struct linux_acpi_table *table;
+	struct acpi_header *header;
 	union {
 		uint32_t signature;
 		char filename[5];
@@ -100,6 +101,14 @@ static userptr_t linux_acpi_find ( uint32_t signature, unsigned int index ) {
 		       filename, strerror ( rc ) );
 		goto err_read;
 	}
+	header = user_to_virt ( table->data, 0 );
+	if ( ( ( ( size_t ) len ) < sizeof ( *header ) ) ||
+	     ( ( ( size_t ) len ) < le32_to_cpu ( header->length ) ) ) {
+		rc = -ENOENT;
+		DBGC ( &linux_acpi_tables, "ACPI underlength %s (%d bytes)\n",
+		       filename, len );
+		goto err_len;
+	}
 
 	/* Add to list of tables */
 	list_add ( &table->list, &linux_acpi_tables );
@@ -107,6 +116,7 @@ static userptr_t linux_acpi_find ( uint32_t signature, unsigned int index ) {
 
 	return table->data;
 
+ err_len:
 	ufree ( table->data );
  err_read:
 	free ( table );