michaelh/zephyr
1
0
Fork 0
Code Releases Activity

ipc: icmsg_me: Fix possible integer overflow

Browse source 
Fix possible integer overflow and underflow.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
Flavio Ceolin 2024-04-26 16:47:55 -07:00 committed by Anas Nashif
commit cbbb64a3aa
1 changed files with 25 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

33
subsys/ipc/ipc_service/lib/icmsg_me.c
View file

@ -5,6 +5,7 @@
*/
#include <zephyr/ipc/icmsg_me.h>
#include <zephyr/sys/math_extras.h>
#include <string.h>
@ -20,14 +21,24 @@ static void *icmsg_buffer_to_user_buffer(const void *icmsg_buffer)
return (void *)(((char *)icmsg_buffer) + HEADER_SIZE);
}
static size_t icmsg_buffer_len_to_user_buffer_len(size_t icmsg_buffer_len)
static ssize_t icmsg_buffer_len_to_user_buffer_len(size_t icmsg_buffer_len)
{
return icmsg_buffer_len - HEADER_SIZE;
if (icmsg_buffer_len < HEADER_SIZE) {
return -EINVAL;
}
return (ssize_t)(icmsg_buffer_len - HEADER_SIZE);
}
static size_t user_buffer_len_to_icmsg_buffer_len(size_t user_buffer_len)
static ssize_t user_buffer_len_to_icmsg_buffer_len(size_t user_buffer_len)
{
return user_buffer_len + HEADER_SIZE;
size_t ret;
if (size_add_overflow(user_buffer_len, HEADER_SIZE, &ret)) {
return -EINVAL;
}
return (ssize_t)ret;
}
static void set_ept_id_in_send_buffer(uint8_t *send_buffer,
@ -141,6 +152,7 @@ void icmsg_me_received_data(struct icmsg_me_data_t *data, icmsg_me_ept_id_t id,
{
int r;
const struct ipc_ept_cfg *ept;
ssize_t user_buffer_len;
r = icmsg_me_get_ept_cfg(data, id, &ept);
if (r < 0) {
@ -151,10 +163,14 @@ void icmsg_me_received_data(struct icmsg_me_data_t *data, icmsg_me_ept_id_t id,
return;
}
user_buffer_len = icmsg_buffer_len_to_user_buffer_len(len);
if (user_buffer_len < 0) {
return;
}
if (ept->cb.received) {
ept->cb.received(icmsg_buffer_to_user_buffer(msg),
icmsg_buffer_len_to_user_buffer_len(len),
ept->priv);
user_buffer_len, ept->priv);
}
}
@ -164,8 +180,9 @@ int icmsg_me_send(const struct icmsg_config_t *conf,
{
int r;
int sent_bytes = 0;
ssize_t icmsg_buffer_len = user_buffer_len_to_icmsg_buffer_len(len);
if (user_buffer_len_to_icmsg_buffer_len(len) >= SEND_BUF_SIZE) {
if ((icmsg_buffer_len < 0) || (icmsg_buffer_len >= SEND_BUF_SIZE)) {
return -EBADMSG;
}
@ -179,7 +196,7 @@ int icmsg_me_send(const struct icmsg_config_t *conf,
memcpy(icmsg_buffer_to_user_buffer(data->send_buffer), msg, len);
r = icmsg_send(conf, &data->icmsg_data, data->send_buffer,
user_buffer_len_to_icmsg_buffer_len(len));
icmsg_buffer_len);
if (r > 0) {
sent_bytes = icmsg_buffer_len_to_user_buffer_len(r);
}