MCDI helper routines in libefx include length checks for response
messages, to ensure that short replies and optional fields are
handled correctly.
If the MCDI response message from the firmware is larger than the
caller's buffer then the response length reported to the caller
should be limited to the buffer size. Otherwise length checks in
the caller may allow reading past the end of the buffer.
Fixes:
6f619653b9b1 ("net/sfc/base: import MCDI implementation")
Cc: stable@dpdk.org
Signed-off-by: Andy Moreton <amoreton@xilinx.com>
Signed-off-by: Ivan Malov <ivan.malov@oktetlabs.ru>
Reviewed-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
bytes = MIN(emrp->emr_out_length_used, emrp->emr_out_length);
efx_mcdi_read_response(enp, emrp->emr_out_buf, resp_off, bytes);
+ /* Report bytes copied to caller (response message may be larger) */
+ emrp->emr_out_length_used = bytes;
+
#if EFSYS_OPT_MCDI_LOGGING
if (emtp->emt_logger != NULL) {
emtp->emt_logger(emtp->emt_context,