[PATCH] ibacm: Check for source space in resolve requests

Next message: Mike Karcic: "Re: [REGRESSION] Speaker pop/chirp on Meteor Lake ALC287 (17aa:231e) -- 6.12.73 to 6.12.85"
Previous message: Onish Sharma: "[PATCH 2/2] staging: sm750fb: rename setAllEngOff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Thu May 28 2026 - 09:43:44 EST

If a resolve request omits the source address, acm_svr_verify_resolve()
uses the next endpoint slot as a scratch source address. A full request
can already contain all eight endpoint slots. In that case there is no
scratch slot, and the current code writes past the fixed message buffer.

Reject a source-less request when there is no endpoint slot left for the
selected source address.

Fixes: 5cf79fbad67a ("ibacm: resolve source address if not given")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
ibacm/src/acm.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/ibacm/src/acm.c b/ibacm/src/acm.c
index f13617c40..125b660e0 100644
--- a/ibacm/src/acm.c
+++ b/ibacm/src/acm.c
@@ -1044,6 +1044,10 @@ static uint8_t acm_svr_verify_resolve(struct acm_msg *msg)
}

if (msg->hdr.src_out) {
+ if (i >= ACM_MSG_DATA_LENGTH / ACM_MSG_EP_LENGTH) {
+ acm_log(0, "ERROR - no room for source address\n");
+ return ACM_STATUS_EINVAL;
+ }
msg->hdr.src_index = i;
memset(&msg->resolve_data[i], 0, sizeof(struct acm_ep_addr_data));
}
--
2.53.0