|
@@ -937,24 +937,28 @@ static CXLRetCode cmd_logs_get_log(const struct cxl_cmd *cmd,
|
|
|
|
|
|
|
|
get_log = (void *)payload_in;
|
|
get_log = (void *)payload_in;
|
|
|
|
|
|
|
|
|
|
+ if (get_log->length > cci->payload_max) {
|
|
|
|
|
+ return CXL_MBOX_INVALID_INPUT;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) {
|
|
|
|
|
+ return CXL_MBOX_INVALID_LOG;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
/*
|
|
/*
|
|
|
* CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h)
|
|
* CXL r3.1 Section 8.2.9.5.2: Get Log (Opcode 0401h)
|
|
|
* The device shall return Invalid Input if the Offset or Length
|
|
* The device shall return Invalid Input if the Offset or Length
|
|
|
* fields attempt to access beyond the size of the log as reported by Get
|
|
* fields attempt to access beyond the size of the log as reported by Get
|
|
|
- * Supported Logs.
|
|
|
|
|
|
|
+ * Supported Log.
|
|
|
*
|
|
*
|
|
|
- * The CEL buffer is large enough to fit all commands in the emulation, so
|
|
|
|
|
- * the only possible failure would be if the mailbox itself isn't big
|
|
|
|
|
- * enough.
|
|
|
|
|
|
|
+ * Only valid for there to be one entry per opcode, but the length + offset
|
|
|
|
|
+ * may still be greater than that if the inputs are not valid and so access
|
|
|
|
|
+ * beyond the end of cci->cel_log.
|
|
|
*/
|
|
*/
|
|
|
- if (get_log->length > cci->payload_max) {
|
|
|
|
|
|
|
+ if ((uint64_t)get_log->offset + get_log->length >= sizeof(cci->cel_log)) {
|
|
|
return CXL_MBOX_INVALID_INPUT;
|
|
return CXL_MBOX_INVALID_INPUT;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- if (!qemu_uuid_is_equal(&get_log->uuid, &cel_uuid)) {
|
|
|
|
|
- return CXL_MBOX_INVALID_LOG;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
/* Store off everything to local variables so we can wipe out the payload */
|
|
/* Store off everything to local variables so we can wipe out the payload */
|
|
|
*len_out = get_log->length;
|
|
*len_out = get_log->length;
|
|
|
|
|
|
Jonathan Cameron