fix(el3-spmc): fix location of fragment length check

Ensure that the fragment_length parameter is validated to prevent
a buffer overflow before it is used. Reported by Matt Oh, Google Android Red Team.

Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0323c096ffd988fbd85bbd4ade3abd8427aea977

diff --git a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
index 6f6d273d6b38ccdaf32f50febdff07709b274508..d4d0407c116971dc671dc96d55dbe5f46292d3dd 100644 (file)
--- a/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
+++ b/services/std_svc/spm/el3_spmc/spmc_shared_mem.c
@@ -885,9 +885,6 @@ static long spmc_ffa_fill_desc(struct mailbox *mbox,
                goto err_arg;
        }
 
-       memcpy((uint8_t *)&obj->desc + obj->desc_filled,
-              (uint8_t *) mbox->tx_buffer, fragment_length);
-
        if (fragment_length > obj->desc_size - obj->desc_filled) {
                WARN("%s: bad fragment size %u > %zu remaining\n", __func__,
                     fragment_length, obj->desc_size - obj->desc_filled);
@@ -895,6 +892,9 @@ static long spmc_ffa_fill_desc(struct mailbox *mbox,
                goto err_arg;
        }
 
+       memcpy((uint8_t *)&obj->desc + obj->desc_filled,
+              (uint8_t *) mbox->tx_buffer, fragment_length);
+
        /* Ensure that the sender ID resides in the normal world. */
        if (ffa_is_secure_world_id(obj->desc.sender_id)) {
                WARN("%s: Invalid sender ID 0x%x.\n",