From dda052851a78fad150b6565ea4bb75644bd37dce Mon Sep 17 00:00:00 2001 From: David Vincze Date: Mon, 6 Mar 2023 15:02:08 +0100 Subject: [PATCH] fix(rss): fix msg deserialization bugs in comms -fix1: size of struct instead of pointer during reply_size check -fix2: update the out_vec length with the actual length from reply message (e.g. in case of an output buffer, the returned output data length remained the size of the buffer and was not updated with the size of the actual data in it) Change-Id: Ibed5520ca1fb05df358de4bdf85ace219183866c Signed-off-by: David Vincze --- drivers/arm/rss/rss_comms_protocol_embed.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/arm/rss/rss_comms_protocol_embed.c b/drivers/arm/rss/rss_comms_protocol_embed.c index 801b7ccbb..c453258f2 100644 --- a/drivers/arm/rss/rss_comms_protocol_embed.c +++ b/drivers/arm/rss/rss_comms_protocol_embed.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022, Arm Limited. All rights reserved. + * Copyright (c) 2022-2023, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -54,7 +54,9 @@ psa_status_t rss_protocol_embed_serialize_msg(psa_handle_t handle, if (in_vec[i].len > sizeof(msg->trailer) - payload_size) { return PSA_ERROR_INVALID_ARGUMENT; } - memcpy(msg->trailer + payload_size, in_vec[i].base, in_vec[i].len); + memcpy(msg->trailer + payload_size, + in_vec[i].base, + in_vec[i].len); payload_size += in_vec[i].len; } @@ -77,12 +79,16 @@ psa_status_t rss_protocol_embed_deserialize_reply(psa_outvec *out_vec, assert(return_val != NULL); for (i = 0U; i < out_len; ++i) { - if (sizeof(reply) - sizeof(reply->trailer) + payload_offset > reply_size) { + if ((sizeof(*reply) - sizeof(reply->trailer) + payload_offset) + > reply_size) { return PSA_ERROR_INVALID_ARGUMENT; } - memcpy(out_vec[i].base, reply->trailer + payload_offset, out_vec[i].len); - payload_offset += out_vec[i].len; + memcpy(out_vec[i].base, + reply->trailer + payload_offset, + reply->out_size[i]); + out_vec[i].len = reply->out_size[i]; + payload_offset += reply->out_size[i]; } *return_val = reply->return_val;