From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date: Fri, 1 Nov 2024 13:39:12 +0000 (+0000)
Subject: hw/cxl: Check the length of data requested fits in get_log()
X-Git-Tag: v9.2.0-rc0~17^2~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9f0fa2438c6934aa76b06e9a6cef283176ceb8d;p=thirdparty%2Fqemu.git

hw/cxl: Check the length of data requested fits in get_log()

Checking offset + length is of no relevance when verifying the CEL
data will fit in the mailbox payload. Only the length is is relevant.

Note that this removes a potential overflow.

Reported-by: Esifiel <esifiel@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20241101133917.27634-6-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 27fadc4fa81..2aa7ffed846 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -947,7 +947,7 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd,
      * the only possible failure would be if the mailbox itself isn't big
      * enough.
      */
-    if (get_log->offset + get_log->length > cci->payload_max) {
+    if (get_log->length > cci->payload_max) {
         return CXL_MBOX_INVALID_INPUT;
     }