mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hw/cxl: Check input length is large enough in cmd_events_clear_records()

Browse Source 
Buggy software might write a message that is too short for
either the header, or the header + the event data that is specified
in the header.  This may result in accesses beyond the range of the
message allocated as a duplicate of the incoming message buffer.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-4-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This commit is contained in:
Jonathan Cameron 2024-11-01 13:39:10 +00:00 committed by Michael S. Tsirkin
parent 91a743bd02
commit f4a12ba66b
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hw/cxl/cxl-mailbox-utils.c
View File

@ -266,6 +266,12 @@ static CXLRetCode cmd_events_clear_records(const struct cxl_cmd *cmd,
CXLClearEventPayload *pl; CXLClearEventPayload *pl;
pl = (CXLClearEventPayload *)payload_in; pl = (CXLClearEventPayload *)payload_in;
if (len_in < sizeof(*pl) ||
len_in < sizeof(*pl) + sizeof(*pl->handle) * pl->nr_recs) {
return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
}
*len_out = 0; *len_out = 0;
return cxl_event_clear_records(cxlds, pl); return cxl_event_clear_records(cxlds, pl);
} }