Skip to content

Commit

Permalink
common/cnxk: fix possible out-of-bounds access
Browse files Browse the repository at this point in the history 
[ upstream commit 9a92937cf0c836b7f2b5e303523279ddf9473a35 ]

The subtraction expression in mbox_memcpy() can wrap around
causing an out-of-bounds access. Added a check on 'size' to
fix this.

Coverity issue: 384431, 384439
Fixes: 585bb3e ("common/cnxk: add VF support to base device class")

Signed-off-by: Satheesh Paul <psatheesh@marvell.com>
Reviewed-by: Harman Kalra <hkalra@marvell.com>
  • Loading branch information
@satheeshpaul @bluca
satheeshpaul authored and bluca committed Mar 13, 2024
1 parent a1f69f5 commit f29c2d6
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions drivers/common/cnxk/roc_dev.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -466,6 +466,8 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
size_t size;

size = PLT_ALIGN(mbox_id2size(msg->hdr.id), MBOX_MSG_ALIGN);
if (size < sizeof(struct mbox_msghdr))
return;
/* Send UP message to all VF's */
for (vf = 0; vf < vf_mbox->ndevs; vf++) {
/* VF active */
Expand Down

0 comments on commit f29c2d6

Please sign in to comment.