fix(el3-spmc): improve bound check for descriptor
Ensure that there is sufficient space in the memory
descriptor to accommodate the size of the composite memory
struct as part of the descriptor.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Iea646b144c59a2a1a171298cabb5f31040a8af31
diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 89d7b31..bf3fb28 100644
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -385,7 +385,8 @@
emad_array[0].comp_mrd_offset);
/* Check the calculated address is within the memory descriptor. */
- if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) {
+ if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) >
+ (uintptr_t)((uint8_t *) orig + desc_size)) {
return 0;
}
size += mrd->address_range_count * sizeof(struct ffa_cons_mrd);
@@ -424,7 +425,8 @@
emad_array[0].comp_mrd_offset);
/* Check the calculated address is within the memory descriptor. */
- if ((uintptr_t) mrd >= (uintptr_t)((uint8_t *) orig + desc_size)) {
+ if (((uintptr_t) mrd + sizeof(struct ffa_comp_mrd)) >
+ (uintptr_t)((uint8_t *) orig + desc_size)) {
return 0;
}
size += mrd->address_range_count * sizeof(struct ffa_cons_mrd);