ipm: cavs: Fix possible buffer overflow

A buffer overflow happens in send() when size is negative because it is promoted to signed when used in memcpy. Signed-off-by: Flavio Ceolin <[email protected]> (cherry picked from commit eeea26d)
zephyrproject-rtos · Sep 27, 2023 · 29abb3c · 29abb3c
1 parent 0c3cb4b
commit 29abb3c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/ipm/ipm_cavs_host.c b/drivers/ipm/ipm_cavs_host.c
@@ -56,7 +56,7 @@ static int send(const struct device *dev, int wait, uint32_t id,
 		return -EBUSY;
 	}
 
-	if (size > MAX_MSG) {
+	if ((size < 0) || (size > MAX_MSG)) {
 		return -EMSGSIZE;
 	}