Payload size is the variable request size, not the total buffer size.
Take that into account and subtract header sizes.

Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/uefi/var-service-vars.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 8533533ea5c8..5607763525b3 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -592,7 +592,7 @@ uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_header *mhdr,
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
 
-    ps->payload_size = uv->buf_size;
+    ps->payload_size = uv->buf_size - sizeof(*mhdr) - sizeof(*mvar);
     mvar->status = EFI_SUCCESS;
     return length;
 }
-- 
2.52.0

On 1/14/26 13:47, Gerd Hoffmann wrote:
> Payload size is the variable request size, not the total buffer size.
> Take that into account and subtract header sizes.
> 
> Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")

This feels like a qemu-stable material.
Please let me know if it isn't.

Thanks,

/mjt
> --- a/hw/uefi/var-service-vars.c
> +++ b/hw/uefi/var-service-vars.c
> @@ -592,7 +592,7 @@ uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_header *mhdr,
>           return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
>       }
>   
> -    ps->payload_size = uv->buf_size;
> +    ps->payload_size = uv->buf_size - sizeof(*mhdr) - sizeof(*mvar);
>       mvar->status = EFI_SUCCESS;
>       return length;
>   }