Commit e7537735 authored May 17, 2026 by Heechan Kang Committed by Jason Gunthorpe May 19, 2026

fwctl: pds: Validate RPC input size before parsing

The fwctl core allocates the device-specific RPC input buffer with
fwctl_rpc.in_len and passes that buffer to the driver callback.

pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
pdsfc_validate_rpc(), which reads fields from that structure before
checking that the input buffer is large enough to contain it. A short
in_len can make pds_fwctl read beyond the allocation.

Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
parsing any pds-specific fields.

Fixes: 92c66ee8 ("pds_fwctl: add rpc and query support")
Link: https://patch.msgid.link/r/20260517062232.1858747-1-gganji11@naver.com


Cc: stable@vger.kernel.org # v6.15+
Signed-off-by: Heechan Kang <gganji11@naver.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

parent 5200f5f4

drivers/fwctl/pds/main.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -362,6 +362,9 @@ static void pdsfc_fw_rpc(struct fwctl_uctx uctx, enum fwctl_rpc_scope scope,
		void *out = NULL;
		int err;

		if (in_len < sizeof(*rpc))
		return ERR_PTR(-EINVAL);

		err = pdsfc_validate_rpc(pdsfc, rpc, scope);
		if (err)
		return ERR_PTR(err);