ipc: icmsg_me: Fix possible integer overflow
Fix possible integer overflow and underflow. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
parent
68ea73aca2
commit
cbbb64a3aa
1 changed files with 25 additions and 8 deletions
|
@ -5,6 +5,7 @@
|
|||
*/
|
||||
|
||||
#include <zephyr/ipc/icmsg_me.h>
|
||||
#include <zephyr/sys/math_extras.h>
|
||||
|
||||
#include <string.h>
|
||||
|
||||
|
@ -20,14 +21,24 @@ static void *icmsg_buffer_to_user_buffer(const void *icmsg_buffer)
|
|||
return (void *)(((char *)icmsg_buffer) + HEADER_SIZE);
|
||||
}
|
||||
|
||||
static size_t icmsg_buffer_len_to_user_buffer_len(size_t icmsg_buffer_len)
|
||||
static ssize_t icmsg_buffer_len_to_user_buffer_len(size_t icmsg_buffer_len)
|
||||
{
|
||||
return icmsg_buffer_len - HEADER_SIZE;
|
||||
if (icmsg_buffer_len < HEADER_SIZE) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return (ssize_t)(icmsg_buffer_len - HEADER_SIZE);
|
||||
}
|
||||
|
||||
static size_t user_buffer_len_to_icmsg_buffer_len(size_t user_buffer_len)
|
||||
static ssize_t user_buffer_len_to_icmsg_buffer_len(size_t user_buffer_len)
|
||||
{
|
||||
return user_buffer_len + HEADER_SIZE;
|
||||
size_t ret;
|
||||
|
||||
if (size_add_overflow(user_buffer_len, HEADER_SIZE, &ret)) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return (ssize_t)ret;
|
||||
}
|
||||
|
||||
static void set_ept_id_in_send_buffer(uint8_t *send_buffer,
|
||||
|
@ -141,6 +152,7 @@ void icmsg_me_received_data(struct icmsg_me_data_t *data, icmsg_me_ept_id_t id,
|
|||
{
|
||||
int r;
|
||||
const struct ipc_ept_cfg *ept;
|
||||
ssize_t user_buffer_len;
|
||||
|
||||
r = icmsg_me_get_ept_cfg(data, id, &ept);
|
||||
if (r < 0) {
|
||||
|
@ -151,10 +163,14 @@ void icmsg_me_received_data(struct icmsg_me_data_t *data, icmsg_me_ept_id_t id,
|
|||
return;
|
||||
}
|
||||
|
||||
user_buffer_len = icmsg_buffer_len_to_user_buffer_len(len);
|
||||
if (user_buffer_len < 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (ept->cb.received) {
|
||||
ept->cb.received(icmsg_buffer_to_user_buffer(msg),
|
||||
icmsg_buffer_len_to_user_buffer_len(len),
|
||||
ept->priv);
|
||||
user_buffer_len, ept->priv);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -164,8 +180,9 @@ int icmsg_me_send(const struct icmsg_config_t *conf,
|
|||
{
|
||||
int r;
|
||||
int sent_bytes = 0;
|
||||
ssize_t icmsg_buffer_len = user_buffer_len_to_icmsg_buffer_len(len);
|
||||
|
||||
if (user_buffer_len_to_icmsg_buffer_len(len) >= SEND_BUF_SIZE) {
|
||||
if ((icmsg_buffer_len < 0) || (icmsg_buffer_len >= SEND_BUF_SIZE)) {
|
||||
return -EBADMSG;
|
||||
}
|
||||
|
||||
|
@ -179,7 +196,7 @@ int icmsg_me_send(const struct icmsg_config_t *conf,
|
|||
memcpy(icmsg_buffer_to_user_buffer(data->send_buffer), msg, len);
|
||||
|
||||
r = icmsg_send(conf, &data->icmsg_data, data->send_buffer,
|
||||
user_buffer_len_to_icmsg_buffer_len(len));
|
||||
icmsg_buffer_len);
|
||||
if (r > 0) {
|
||||
sent_bytes = icmsg_buffer_len_to_user_buffer_len(r);
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue