virtio: rng: Check length before copying

Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Andrew Scull 2022-05-16 10:41:39 +00:00 committed by Tom Rini
parent 420b3e51f4
commit 43937a4f5e

View File

@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len)
while (!virtqueue_get_buf(priv->rng_vq, &rsize))
;
if (rsize > sg.length)
return -EIO;
memcpy(ptr, buf, rsize);
len -= rsize;
ptr += rsize;