From cef0cc1a07a50fe6ece9692e1d45790ee16d61ed Mon Sep 17 00:00:00 2001 From: Jakub Grajciar Date: Mon, 1 Mar 2021 08:54:35 +0100 Subject: libmemif: verify length of transmitted buffers In memif_tx_burst verify that total buffer size (data_offset + data_len) does not exceed buffer size. If not valid returns MEMIF_ERR_INVAL_ARG. Type: fix Signed-off-by: Jakub Grajciar Change-Id: Ifae8f92344a401febbc1efd22c301356ccf83d44 --- extras/libmemif/src/main.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'extras/libmemif/src') diff --git a/extras/libmemif/src/main.c b/extras/libmemif/src/main.c index 36f1251a158..e70334ae40f 100644 --- a/extras/libmemif/src/main.c +++ b/extras/libmemif/src/main.c @@ -2496,11 +2496,12 @@ memif_tx_burst (memif_conn_handle_t conn, uint16_t qid, data_offset = b0->data - (d->offset + c->regions[d->region].addr); if (data_offset != 0) { - /* verify data offset */ + /* verify data offset and buffer length */ if ((data_offset < 0) || - (data_offset > (d->offset + offset_mask))) + ((data_offset + b0->len) > c->run_args.buffer_size)) { - printf ("%ld\n", data_offset); + DBG ("slot: %d, data_offset: %d, length: %d", + b0->desc_index & mask, data_offset, b0->len); err = MEMIF_ERR_INVAL_ARG; goto done; } -- cgit 1.2.3-korg