[Skiboot] [PATCH 2/9] hw/bt: Add FIFO buffer length capability validation

[Nicholas Piggin]

Add validation of BT FIFO sizes against IPMI message allocations.

The BT interface capabilities command returns one less than the FIFO
size, so fix this off by one error in the sanity check.

Signed-off-by: Nicholas Piggin <npiggin at gmail.com>
---
 hw/bt.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/hw/bt.c b/hw/bt.c
index 8a88e223e..b41e5ab81 100644
--- a/hw/bt.c
+++ b/hw/bt.c
@@ -149,12 +149,12 @@ static void get_bt_caps_complete(struct ipmi_msg *msg)
 		goto out;
 	}
 
-	if (msg->data[1] != BT_FIFO_LEN) {
+	if (msg->data[1] + 1 != BT_FIFO_LEN) {
 		prlog(PR_DEBUG, "Got a input buffer len (%u) cap which differs from the default\n",
 				msg->data[1]);
 	}
 
-	if (msg->data[2] != BT_FIFO_LEN) {
+	if (msg->data[2] + 1 != BT_FIFO_LEN) {
 		prlog(PR_DEBUG, "Got a output buffer len (%u) cap which differs from the default\n",
 				msg->data[2]);
 	}
@@ -606,6 +606,17 @@ static struct ipmi_msg *bt_alloc_ipmi_msg(size_t request_size, size_t response_s
 {
 	struct bt_msg *bt_msg;
 
+	if (request_size + BT_MIN_REQ_LEN + 1 > bt.caps.input_buf_len) {
+		prerror("%s request size too large for BT FIFO (%ld)\n",
+				__func__, request_size);
+		return NULL;
+	}
+	if (response_size + BT_MIN_RESP_LEN + 1 > bt.caps.output_buf_len) {
+		prerror("%s response size too large for BT FIFO  %ld)\n",
+				__func__, response_size);
+		return NULL;
+	}
+
 	bt_msg = zalloc(sizeof(struct bt_msg) + MAX(request_size, response_size));
 	if (!bt_msg)
 		return NULL;
-- 
2.47.1