hw/cxl: Check the length of data requested fits in get_log() Checking offset + length is of no relevance when verifying the CEL data will fit in the mailbox payload. Only the length is is relevant. Note that this removes a potential overflow. Reported-by: Esifiel <esifiel@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-Id: <20241101133917.27634-6-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

commit: f9f0fa2438c6934aa76b06e9a6cef283176ceb8d [log] [tgz]
author: Jonathan Cameron <Jonathan.Cameron@huawei.com> Fri Nov 01 13:39:12 2024 +0000
committer: Michael S. Tsirkin <mst@redhat.com> Mon Nov 04 16:03:25 2024 -0500
tree: 66fd3dc2d2bb14fdef577b63c0f705b303699603
parent: a3995360aeec62902f045142840c1fd334e9725f [diff]
diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 27fadc4..2aa7ffe 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c

@@ -947,7 +947,7 @@
      * the only possible failure would be if the mailbox itself isn't big
      * enough.
      */
-    if (get_log->offset + get_log->length > cci->payload_max) {
+    if (get_log->length > cci->payload_max) {
         return CXL_MBOX_INVALID_INPUT;
     }
commit	f9f0fa2438c6934aa76b06e9a6cef283176ceb8d	[log] [tgz]
author	Jonathan Cameron <Jonathan.Cameron@huawei.com>	Fri Nov 01 13:39:12 2024 +0000
committer	Michael S. Tsirkin <mst@redhat.com>	Mon Nov 04 16:03:25 2024 -0500
tree	66fd3dc2d2bb14fdef577b63c0f705b303699603
parent	a3995360aeec62902f045142840c1fd334e9725f [diff]