diff options
| author | Jonathan Cameron <Jonathan.Cameron@huawei.com> | 2024-11-01 13:39:10 +0000 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2024-11-04 16:03:25 -0500 |
| commit | f4a12ba66bebfe200d7f56015c1cd5af321ab152 (patch) | |
| tree | 120f00aa699323e08b7642f9740fb941752b5c33 | |
| parent | 91a743bd021a262af61c79cc35f0b634b2fcf3ad (diff) | |
| download | qemu-f4a12ba66bebfe200d7f56015c1cd5af321ab152.zip qemu-f4a12ba66bebfe200d7f56015c1cd5af321ab152.tar.gz qemu-f4a12ba66bebfe200d7f56015c1cd5af321ab152.tar.bz2 | |
hw/cxl: Check input length is large enough in cmd_events_clear_records()
Buggy software might write a message that is too short for
either the header, or the header + the event data that is specified
in the header. This may result in accesses beyond the range of the
message allocated as a duplicate of the incoming message buffer.
Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-4-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
| -rw-r--r-- | hw/cxl/cxl-mailbox-utils.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index e63140a..3cb499a 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd, CXLClearEventPayload *pl; pl = (CXLClearEventPayload *)payload_in; + + if (len_in < sizeof(*pl) || + len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) { + return CXL_MBOX_INVALID_PAYLOAD_LENGTH; + } + *len_out = 0; return cxl_event_clear_records(cxlds, pl); } |