diff options
author | Andrew Scull | 2022-05-16 10:41:39 +0000 |
---|---|---|
committer | Tom Rini | 2022-06-08 09:24:04 -0400 |
commit | 43937a4f5e411b3a82014fe0fa78ef4de90b11c2 (patch) | |
tree | b5cdedd90ad28a3cc937bd335b5a9e93748b83df /drivers/virtio | |
parent | 420b3e51f4f64ebc6ab88f751f116e634894b231 (diff) |
virtio: rng: Check length before copying
Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.
Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'drivers/virtio')
-rw-r--r-- | drivers/virtio/virtio_rng.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c index 9314c0a03ed..b85545c2ee5 100644 --- a/drivers/virtio/virtio_rng.c +++ b/drivers/virtio/virtio_rng.c @@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len) while (!virtqueue_get_buf(priv->rng_vq, &rsize)) ; + if (rsize > sg.length) + return -EIO; + memcpy(ptr, buf, rsize); len -= rsize; ptr += rsize; |