ipm: cavs: Fix possible buffer overflow A buffer overflow happens in send() when size is negative because it is promoted to signed when used in memcpy. Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com> (cherry picked from commit eeea26d20651e7f91de5e7d216a5398551d164da)

commit: 96693938957788e354703e406b7980e677c029b5 [log] [tgz]
author: Flavio Ceolin <flavio.ceolin@intel.com> Tue Sep 26 10:39:00 2023 -0700
committer: Henrik Brix Andersen <henrik@brixandersen.dk> Tue Nov 07 18:33:47 2023 +0100
tree: 4960d96ca45f5d03ef05cd1866945e73518161a1
parent: 532a37f0ebfde7b89899ef5c521ebc1e16321947 [diff]
diff --git a/drivers/ipm/ipm_cavs_host.c b/drivers/ipm/ipm_cavs_host.c
index 7436770..028b9e9 100644
--- a/drivers/ipm/ipm_cavs_host.c
+++ b/drivers/ipm/ipm_cavs_host.c

@@ -56,7 +56,7 @@
 		return -EBUSY;
 	}
 
-	if (size > MAX_MSG) {
+	if ((size < 0) || (size > MAX_MSG)) {
 		return -EMSGSIZE;
 	}
commit	96693938957788e354703e406b7980e677c029b5	[log] [tgz]
author	Flavio Ceolin <flavio.ceolin@intel.com>	Tue Sep 26 10:39:00 2023 -0700
committer	Henrik Brix Andersen <henrik@brixandersen.dk>	Tue Nov 07 18:33:47 2023 +0100
tree	4960d96ca45f5d03ef05cd1866945e73518161a1
parent	532a37f0ebfde7b89899ef5c521ebc1e16321947 [diff]