fix(el3-spmc): fix location of fragment length check
Ensure that the fragment_length parameter is validated to prevent
a buffer overflow before it is used. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0323c096ffd988fbd85bbd4ade3abd8427aea977
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 6f6d273..d4d0407 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -885,9 +885,6 @@
goto err_arg;
}
- memcpy((uint8_t *)&obj->desc + obj->desc_filled,
- (uint8_t *) mbox->tx_buffer, fragment_length);
-
if (fragment_length > obj->desc_size - obj->desc_filled) {
WARN("%s: bad fragment size %u > %zu remaining\n", __func__,
fragment_length, obj->desc_size - obj->desc_filled);
@@ -895,6 +892,9 @@
goto err_arg;
}
+ memcpy((uint8_t *)&obj->desc + obj->desc_filled,
+ (uint8_t *) mbox->tx_buffer, fragment_length);
+
/* Ensure that the sender ID resides in the normal world. */
if (ffa_is_secure_world_id(obj->desc.sender_id)) {
WARN("%s: Invalid sender ID 0x%x.\n",