On Fri, Nov 01, 2024 at 01:39:12PM +0000, Jonathan Cameron wrote:
> Checking offset + length is of no relevance when verifying the CEL
> data will fit in the mailbox payload. Only the length is is relevant.
s/is is/is/
>
> Note that this removes a potential overflow.
>
> Reported-by: Esifiel <esif...@gmail.com>
> Signed-off-by: Jonathan Cameron <jonathan.came...@huawei.com>
> ---
> hw/cxl/cxl-mailbox-utils.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index 27fadc4fa8..2aa7ffed84 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -947,7 +947,7 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd
> *cmd,
> * the only possible failure would be if the mailbox itself isn't big
> * enough.
> */
> - if (get_log->offset + get_log->length > cci->payload_max) {
> + if (get_log->length > cci->payload_max) {
If offset is beyond the size of cel_log, will it be a problem?
There is a comment just above saying "
* The CEL buffer is large enough to fit all commands in the emulation, so
* the only possible failure would be if the mailbox itself isn't big
* enough.
"
Not sure how it avoids the case when the offset is too large.
Fan
> return CXL_MBOX_INVALID_INPUT;
> }
>
> --
> 2.43.0
>
--
Fan Ni
