From c5bb002f7780588a22e284411f68b8f145d3618f Mon Sep 17 00:00:00 2001 From: Flavio Ceolin Date: Sun, 6 Aug 2023 23:30:29 -0700 Subject: [PATCH] espi: mchp_xec_v2: Fix possible buffer overflow Check the packet lenght in flash_write operation beforeSigned-off-by copying it to an internal buffer. Signed-off-by: Flavio Ceolin --- drivers/espi/espi_mchp_xec_v2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/espi/espi_mchp_xec_v2.c b/drivers/espi/espi_mchp_xec_v2.c index 52d74973e9e..9d22bc5459b 100644 --- a/drivers/espi/espi_mchp_xec_v2.c +++ b/drivers/espi/espi_mchp_xec_v2.c @@ -524,6 +524,11 @@ static int espi_xec_flash_write(const struct device *dev, LOG_DBG("%s", __func__); + if (sizeof(target_mem) < pckt->len) { + LOG_ERR("Packet length is too big"); + return -ENOMEM; + } + if (!(regs->FCSTS & MCHP_ESPI_FC_STS_CHAN_EN)) { LOG_ERR("Flash channel is disabled"); return -EIO;