On Fri, Nov 01, 2024 at 01:39:09PM +0000, Jonathan Cameron wrote:
> A buggy guest might write an insufficiently large message.
> Check the header is present. Whilst zero data after the header is very
> odd it will just result in failure to copy any data.
>
> Reported-by: Esifiel <esif...@gmail.com>
> Signed-off-by: Jonathan Cameron <jonathan.came...@huawei.com>
> ---
Reviewed-by: Fan Ni <fan...@samsung.com>
> hw/cxl/cxl-mailbox-utils.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index 17924410dd..e63140aefe 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -1238,6 +1238,9 @@ static CXLRetCode cmd_features_set_feature(const struct
> cxl_cmd *cmd,
> CXLType3Dev *ct3d;
> uint16_t count;
>
> + if (len_in < sizeof(*hdr)) {
> + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> + }
>
> if (!object_dynamic_cast(OBJECT(cci->d), TYPE_CXL_TYPE3)) {
> return CXL_MBOX_UNSUPPORTED;
> --
> 2.43.0
>
--
Fan Ni
