hw/cxl: Check input includes at least the header in cmd_features_set_feature()
A buggy guest might write an insufficiently large message. Check the header is present. Whilst zero data after the header is very odd it will just result in failure to copy any data. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-Id: <20241101133917.27634-3-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This commit is contained in:
parent
7edbbff5ee
commit
91a743bd02
@ -1238,6 +1238,9 @@ static CXLRetCode cmd_features_set_feature(const struct cxl_cmd *cmd,
|
|||||||
CXLType3Dev *ct3d;
|
CXLType3Dev *ct3d;
|
||||||
uint16_t count;
|
uint16_t count;
|
||||||
|
|
||||||
|
if (len_in < sizeof(*hdr)) {
|
||||||
|
return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
|
||||||
|
}
|
||||||
|
|
||||||
if (!object_dynamic_cast(OBJECT(cci->d), TYPE_CXL_TYPE3)) {
|
if (!object_dynamic_cast(OBJECT(cci->d), TYPE_CXL_TYPE3)) {
|
||||||
return CXL_MBOX_UNSUPPORTED;
|
return CXL_MBOX_UNSUPPORTED;
|
||||||
|
Loading…
Reference in New Issue
Block a user