From eeea26d20651e7f91de5e7d216a5398551d164da Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@intel.com>
Date: Tue, 26 Sep 2023 10:39:00 -0700
Subject: [PATCH] ipm: cavs: Fix possible buffer overflow

A buffer overflow happens in send() when size is negative because
it is promoted to signed when used in memcpy.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
---
 drivers/ipm/ipm_cavs_host.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ipm/ipm_cavs_host.c b/drivers/ipm/ipm_cavs_host.c
index 308acd8a9a2..5877309d48d 100644
--- a/drivers/ipm/ipm_cavs_host.c
+++ b/drivers/ipm/ipm_cavs_host.c
@@ -56,7 +56,7 @@ static int send(const struct device *dev, int wait, uint32_t id,
 		return -EBUSY;
 	}
 
-	if (size > MAX_MSG) {
+	if ((size < 0) || (size > MAX_MSG)) {
 		return -EMSGSIZE;
 	}