ipm: cavs: Fix possible buffer overflow
A buffer overflow happens in send() when size is negative because
it is promoted to signed when used in memcpy.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
(cherry picked from commit eeea26d20651e7f91de5e7d216a5398551d164da)
diff --git a/drivers/ipm/ipm_cavs_host.c b/drivers/ipm/ipm_cavs_host.c
index 7436770..028b9e9 100644
--- a/drivers/ipm/ipm_cavs_host.c
+++ b/drivers/ipm/ipm_cavs_host.c
@@ -56,7 +56,7 @@
return -EBUSY;
}
- if (size > MAX_MSG) {
+ if ((size < 0) || (size > MAX_MSG)) {
return -EMSGSIZE;
}