[PATCH] misc: hpilo: validate device queue entries before use
From: Yousef Alhouseen
Date: Wed Jun 24 2026 - 15:14:48 EST
ilo_pkt_dequeue() trusts descriptor IDs and lengths read from the shared
FIFO entry. A bad entry can select a descriptor outside the allocated
queue memory or report a packet length larger than one descriptor.
Reject entries whose descriptor index or packet length exceeds the queue
layout before deriving the packet pointer returned to read and write
paths.
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/hpilo.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/hpilo.c b/drivers/misc/hpilo.c
index ff3f03ea5..9b54a81b4 100644
--- a/drivers/misc/hpilo.c
+++ b/drivers/misc/hpilo.c
@@ -160,11 +160,16 @@ static int ilo_pkt_dequeue(struct ilo_hwinfo *hw, struct ccb *ccb,
ret = fifo_dequeue(hw, fifobar, &entry);
if (ret) {
+ int pkt_len;
+
pkt_id = get_entry_id(entry);
+ pkt_len = get_entry_len(entry);
+ if (pkt_id >= NR_QENTRY || pkt_len > desc_mem_sz(1))
+ return 0;
if (id)
*id = pkt_id;
if (len)
- *len = get_entry_len(entry);
+ *len = pkt_len;
if (pkt)
*pkt = (void *)(desc + desc_mem_sz(pkt_id));
}
--
2.54.0