From: Satheesh Paul <psathe...@marvell.com>
The subtraction expression in mbox_memcpy() can wrap around
causing an out-of-bounds access. Added a check on 'size' to
fix this.
Coverity issue: 384431, 384439
Fixes: 585bb3e538f9 ("common/cnxk: add VF support to base device class")
Cc: sta...@dpdk.org
Signed-off-by: Satheesh Paul <psathe...@marvell.com>
Reviewed-by: Harman Kalra <hka...@marvell.com>
---
drivers/common/cnxk/roc_dev.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 084343c3b4..14aff233d5 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -502,6 +502,8 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
size_t size;
size = PLT_ALIGN(mbox_id2size(msg->hdr.id), MBOX_MSG_ALIGN);
+ if (size < sizeof(struct mbox_msghdr))
+ return;
/* Send UP message to all VF's */
for (vf = 0; vf < vf_mbox->ndevs; vf++) {
/* VF active */
--
2.39.2
