[PATCH 2/5 v4] accel/qaic: tighten bounds checking in decode_message()
Pranjal Ramajor Asha Kanojiya
quic_pkanojiy at quicinc.com
Fri Jul 14 11:42:10 UTC 2023
On 7/11/2023 1:50 PM, Dan Carpenter wrote:
> Copy the bounds checking from encode_message() to decode_message().
>
> This patch addresses the following concerns. Ensure that there is
> enough space for at least one header so that we don't have a negative
> size later.
>
> if (msg_hdr_len < sizeof(*trans_hdr))
>
> Ensure that we have enough space to read the next header from the
> msg->data.
>
> if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
> return -EINVAL;
>
> Check that the trans_hdr->len is not below the minimum size:
>
> if (hdr_len < sizeof(*trans_hdr))
>
> This minimum check ensures that we don't corrupt memory in
> decode_passthrough() when we do.
>
> memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));
>
> And finally, use size_add() to prevent an integer overflow:
>
> if (size_add(msg_len, hdr_len) > msg_hdr_len)
>
> Fixes: 129776ac2e38 ("accel/qaic: Add control path")
> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy at quicinc.com>
More information about the dri-devel
mailing list