On Fri, Nov 01, 2024 at 01:39:17PM +0000, Jonathan Cameron wrote:
> If len_in is smaller than the header length then the accessing the
> number of ports will result in an out of bounds access.
> Add a check to avoid this.
>
> Reported-by: Esifiel <esif...@gmail.com>
> Signed-off-by: Jonathan Cameron <jonathan.came...@huawei.com>
> ---
Reviewed-by: Fan Ni <fan...@samsung.com>
> hw/cxl/cxl-mailbox-utils.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index f4a436e172..2d4d62c454 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -530,6 +530,9 @@ static CXLRetCode cmd_get_physical_port_state(const
> struct cxl_cmd *cmd,
> in = (struct cxl_fmapi_get_phys_port_state_req_pl *)payload_in;
> out = (struct cxl_fmapi_get_phys_port_state_resp_pl *)payload_out;
>
> + if (len_in < sizeof(*in)) {
> + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> + }
> /* Check if what was requested can fit */
> if (sizeof(*out) + sizeof(*out->ports) * in->num_ports >
> cci->payload_max) {
> return CXL_MBOX_INVALID_INPUT;
> --
> 2.43.0
>
--
Fan Ni
