On Fri, Nov 08, 2024 at 05:58:14PM +0000, Jonathan Cameron wrote:
> Zero length data for features doesn't make any sense so exclude that case
> early. This fixes the undefined behavior reported by coverity for a zero
> length memcpy().
>
> Resolves CID 1564900 and 1564901
>
> Reported-by: Peter Maydell <peter.mayd...@linaro.org>
> Signed-off-by: Jonathan Cameron <jonathan.came...@huawei.com>
> ---
> hw/cxl/cxl-mailbox-utils.c | 4 ++++
> 1 file changed, 4 insertions(+)
Reviewed-by: Fan Ni <fan...@samsung.com>
>
> diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
> index 2d4d62c454..ce9aa18364 100644
> --- a/hw/cxl/cxl-mailbox-utils.c
> +++ b/hw/cxl/cxl-mailbox-utils.c
> @@ -1288,6 +1288,10 @@ static CXLRetCode cmd_features_set_feature(const
> struct cxl_cmd *cmd,
> set_feat_info->data_offset = hdr->offset;
> bytes_to_copy = len_in - sizeof(CXLSetFeatureInHeader);
>
> + if (bytes_to_copy == 0) {
> + return CXL_MBOX_INVALID_PAYLOAD_LENGTH;
> + }
> +
> if (qemu_uuid_is_equal(&hdr->uuid, &patrol_scrub_uuid)) {
> if (hdr->version != CXL_MEMDEV_PS_SET_FEATURE_VERSION) {
> return CXL_MBOX_UNSUPPORTED;
--
Fan Ni
