[PATCH] fsi: occ: bound SRAM write payload length

Next message: Pengpeng Hou: "[PATCH] um: mconsole: use bounded version string formatting"
Previous message: Pengpeng Hou: "[PATCH] platform/x86: dell-wmi-sysman: bound enumeration string aggregation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Mar 28 2026 - 23:13:02 EST

occ_putsram() rounds the requested SRAM write length up to an eight-byte
boundary and then copies that payload into occ->buffer without checking
whether the rounded length still fits behind the OCC/SBE command header.

Reject payloads that would overrun the fixed response buffer instead of
copying past the end of occ->buffer.

Fixes: 7ed98dddb764 ("fsi: Add On-Chip Controller (OCC) driver")
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/fsi/fsi-occ.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/fsi/fsi-occ.c b/drivers/fsi/fsi-occ.c
index 416d176f0936..f52cf539bbda 100644
--- a/drivers/fsi/fsi-occ.c
+++ b/drivers/fsi/fsi-occ.c
@@ -315,6 +315,7 @@ static int occ_putsram(struct occ *occ, const void *data, ssize_t len,
u8 seq_no, u16 checksum)
{
u32 data_len = ((len + 7) / 8) * 8; /* must be multiples of 8 B */
+ size_t max_data_len;
size_t cmd_len, parsed_len, resp_data_len;
size_t resp_len = OCC_MAX_RESP_WORDS;
__be32 *buf = occ->buffer;
@@ -345,6 +346,11 @@ static int occ_putsram(struct occ *occ, const void *data, ssize_t len,
break;
}

+ max_data_len = OCC_MAX_RESP_WORDS * sizeof(*buf);
+ max_data_len -= (5 + idx) * sizeof(*buf);
+ if (data_len > max_data_len)
+ return -EINVAL;
+
buf[4 + idx] = cpu_to_be32(data_len);
memcpy(&buf[5 + idx], data, len);

--
2.50.1 (Apple Git-155)