Message ID | 20241101133917.27634-10-Jonathan.Cameron@huawei.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | hw/cxl: Mailbox input parser hardening against invalid input. | expand |
On Fri, Nov 01, 2024 at 01:39:16PM +0000, Jonathan Cameron wrote: > The properties of the requested set command cannot be established if > len_in is less than the size of the header. > > Reported-by: Esifiel <esifiel@gmail.com> > Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > --- Reviewed-by: Fan Ni <fan.ni@samsung.com> > hw/cxl/cxl-mailbox-utils.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c > index 078782e8b9..f4a436e172 100644 > --- a/hw/cxl/cxl-mailbox-utils.c > +++ b/hw/cxl/cxl-mailbox-utils.c > @@ -1503,8 +1503,8 @@ static CXLRetCode cmd_ccls_set_lsa(const struct cxl_cmd *cmd, > const size_t hdr_len = offsetof(struct set_lsa_pl, data); > > *len_out = 0; > - if (!len_in) { > - return CXL_MBOX_SUCCESS; > + if (len_in < hdr_len) { > + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; > } > > if (set_lsa_payload->offset + len_in > cvc->get_lsa_size(ct3d) + hdr_len) { > -- > 2.43.0 >
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 078782e8b9..f4a436e172 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -1503,8 +1503,8 @@ static CXLRetCode cmd_ccls_set_lsa(const struct cxl_cmd *cmd, const size_t hdr_len = offsetof(struct set_lsa_pl, data); *len_out = 0; - if (!len_in) { - return CXL_MBOX_SUCCESS; + if (len_in < hdr_len) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; } if (set_lsa_payload->offset + len_in > cvc->get_lsa_size(ct3d) + hdr_len) {
The properties of the requested set command cannot be established if len_in is less than the size of the header. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> --- hw/cxl/cxl-mailbox-utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)