ibacm: Check for source space in resolve requests

[PATCH] ibacm: Check for source space in resolve requests

Michael Bommarito posted 1 patch 1 week, 4 days ago

Download mbox

ibacm/src/acm.c | 4 ++++
1 file changed, 4 insertions(+)

Expand all Fold all

[PATCH] ibacm: Check for source space in resolve requests

Posted by Michael Bommarito 1 week, 4 days ago

If a resolve request omits the source address, acm_svr_verify_resolve()
uses the next endpoint slot as a scratch source address. A full request
can already contain all eight endpoint slots. In that case there is no
scratch slot, and the current code writes past the fixed message buffer.

Reject a source-less request when there is no endpoint slot left for the
selected source address.

Fixes: 5cf79fbad67a ("ibacm: resolve source address if not given")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 ibacm/src/acm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ibacm/src/acm.c b/ibacm/src/acm.c
index f13617c40..125b660e0 100644
--- a/ibacm/src/acm.c
+++ b/ibacm/src/acm.c
@@ -1044,6 +1044,10 @@ static uint8_t acm_svr_verify_resolve(struct acm_msg *msg)
 	}
 
 	if (msg->hdr.src_out) {
+		if (i >= ACM_MSG_DATA_LENGTH / ACM_MSG_EP_LENGTH) {
+			acm_log(0, "ERROR - no room for source address\n");
+			return ACM_STATUS_EINVAL;
+		}
 		msg->hdr.src_index = i;
 		memset(&msg->resolve_data[i], 0, sizeof(struct acm_ep_addr_data));
 	}
-- 
2.53.0