From cbbb64a3aa299d241a7f82cb313348a6d65ba35e Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@intel.com>
Date: Fri, 26 Apr 2024 16:47:55 -0700
Subject: [PATCH] ipc: icmsg_me: Fix possible integer overflow

Fix possible integer overflow and underflow.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
---
 subsys/ipc/ipc_service/lib/icmsg_me.c | 33 ++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/subsys/ipc/ipc_service/lib/icmsg_me.c b/subsys/ipc/ipc_service/lib/icmsg_me.c
index 24e3ba6514e..b4d384e6bb0 100644
--- a/subsys/ipc/ipc_service/lib/icmsg_me.c
+++ b/subsys/ipc/ipc_service/lib/icmsg_me.c
@@ -5,6 +5,7 @@
  */
 
 #include <zephyr/ipc/icmsg_me.h>
+#include <zephyr/sys/math_extras.h>
 
 #include <string.h>
 
@@ -20,14 +21,24 @@ static void *icmsg_buffer_to_user_buffer(const void *icmsg_buffer)
 	return (void *)(((char *)icmsg_buffer) + HEADER_SIZE);
 }
 
-static size_t icmsg_buffer_len_to_user_buffer_len(size_t icmsg_buffer_len)
+static ssize_t icmsg_buffer_len_to_user_buffer_len(size_t icmsg_buffer_len)
 {
-	return icmsg_buffer_len - HEADER_SIZE;
+	if (icmsg_buffer_len < HEADER_SIZE) {
+		return -EINVAL;
+	}
+
+	return (ssize_t)(icmsg_buffer_len - HEADER_SIZE);
 }
 
-static size_t user_buffer_len_to_icmsg_buffer_len(size_t user_buffer_len)
+static ssize_t user_buffer_len_to_icmsg_buffer_len(size_t user_buffer_len)
 {
-	return user_buffer_len + HEADER_SIZE;
+	size_t ret;
+
+	if (size_add_overflow(user_buffer_len, HEADER_SIZE, &ret)) {
+		return -EINVAL;
+	}
+
+	return (ssize_t)ret;
 }
 
 static void set_ept_id_in_send_buffer(uint8_t *send_buffer,
@@ -141,6 +152,7 @@ void icmsg_me_received_data(struct icmsg_me_data_t *data, icmsg_me_ept_id_t id,
 {
 	int r;
 	const struct ipc_ept_cfg *ept;
+	ssize_t user_buffer_len;
 
 	r = icmsg_me_get_ept_cfg(data, id, &ept);
 	if (r < 0) {
@@ -151,10 +163,14 @@ void icmsg_me_received_data(struct icmsg_me_data_t *data, icmsg_me_ept_id_t id,
 		return;
 	}
 
+	user_buffer_len = icmsg_buffer_len_to_user_buffer_len(len);
+	if (user_buffer_len < 0) {
+		return;
+	}
+
 	if (ept->cb.received) {
 		ept->cb.received(icmsg_buffer_to_user_buffer(msg),
-				 icmsg_buffer_len_to_user_buffer_len(len),
-				 ept->priv);
+				 user_buffer_len, ept->priv);
 	}
 }
 
@@ -164,8 +180,9 @@ int icmsg_me_send(const struct icmsg_config_t *conf,
 {
 	int r;
 	int sent_bytes = 0;
+	ssize_t icmsg_buffer_len = user_buffer_len_to_icmsg_buffer_len(len);
 
-	if (user_buffer_len_to_icmsg_buffer_len(len) >= SEND_BUF_SIZE) {
+	if ((icmsg_buffer_len < 0) || (icmsg_buffer_len >= SEND_BUF_SIZE)) {
 		return -EBADMSG;
 	}
 
@@ -179,7 +196,7 @@ int icmsg_me_send(const struct icmsg_config_t *conf,
 	memcpy(icmsg_buffer_to_user_buffer(data->send_buffer), msg, len);
 
 	r = icmsg_send(conf, &data->icmsg_data, data->send_buffer,
-		       user_buffer_len_to_icmsg_buffer_len(len));
+		       icmsg_buffer_len);
 	if (r > 0) {
 		sent_bytes = icmsg_buffer_len_to_user_buffer_len(r);
 	}