michaelh/zephyr
1
0
Fork 0
Code Releases Activity

ipm: cavs: Fix possible buffer overflow

Browse source 
A buffer overflow happens in send() when size is negative because
it is promoted to signed when used in memcpy.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
Flavio Ceolin 2023-09-26 10:39:00 -07:00 committed by Maureen Helm
commit eeea26d206
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
drivers/ipm/ipm_cavs_host.c
View file

@ -56,7 +56,7 @@ static int send(const struct device *dev, int wait, uint32_t id,
return -EBUSY;
}
if (size > MAX_MSG) {
if ((size < 0) || (size > MAX_MSG)) {
return -EMSGSIZE;
}