Re: [PATCH] fwctl: pds: Validate RPC input size before parsing

[Creeley, Brett]

On 5/16/2026 11:22 PM, Heechan Kang wrote:
> [You don't often get email from gganji11@xxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> Caution: This message originated from an External Source. Use proper caution when opening attachments, clicking links, or responding.
>
>
> The fwctl core allocates the device-specific RPC input buffer with
> fwctl_rpc.in_len and passes that buffer to the driver callback.
>
> pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
> pdsfc_validate_rpc(), which reads fields from that structure before
> checking that the input buffer is large enough to contain it. A short
> in_len can make pds_fwctl read beyond the allocation.
>
> Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
> parsing any pds-specific fields.
>
> Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support")
> Cc: stable@xxxxxxxxxxxxxxx # v6.15+
> Signed-off-by: Heechan Kang <gganji11@xxxxxxxxx>
> ---
>   drivers/fwctl/pds/main.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c
> index 08872ee8422f..68fe254dd10a 100644
> --- a/drivers/fwctl/pds/main.c
> +++ b/drivers/fwctl/pds/main.c
> @@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum fwctl_rpc_scope scope,
>          void *out = NULL;
>          int err;
>
> +       if (in_len < sizeof(*rpc))
> +               return ERR_PTR(-EINVAL);
> +

LGTM. Thanks for the fix.

Brett
>          err = pdsfc_validate_rpc(pdsfc, rpc, scope);
>          if (err)
>                  return ERR_PTR(err);
> --
> 2.34.1