From b6d61e347a64e2263067c8c44415c3ad4d3cea70 Mon Sep 17 00:00:00 2001
From: "Lijian.Zhang" <Lijian.Zhang@arm.com>
Date: Wed, 22 May 2019 18:33:52 +0800
Subject: session: fix memory out of bound issue

Ring data space is following ring vec_header_t and ring elements immediately.
Add verification code in session_test.

Type: fix

Change-Id: I0bfa096a9f459128a588821d99b5cdb4f10ede38
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Reviewed-by: Sirshak Das <Sirshak.Das@arm.com>
---
 src/svm/message_queue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/svm')

diff --git a/src/svm/message_queue.c b/src/svm/message_queue.c
index 13d089a97cc..630442064f8 100644
--- a/src/svm/message_queue.c
+++ b/src/svm/message_queue.c
@@ -72,7 +72,7 @@ svm_msg_q_alloc (svm_msg_q_cfg_t * cfg)
   vh = (vec_header_t *) ((u8 *) mq->q + q_sz);
   vh->len = cfg->n_rings;
   mq->rings = (svm_msg_q_ring_t *) (vh + 1);
-  rings_ptr = (u8 *) mq->rings + vec_sz;
+  rings_ptr = (u8 *) mq->rings + sizeof (svm_msg_q_ring_t) * cfg->n_rings;
   for (i = 0; i < cfg->n_rings; i++)
     {
       ring = &mq->rings[i];
-- 
cgit 1.2.3-korg