fix: clean up boundary bugs of log record access

This cleans up fixes boundary bugs found in the message handlers. Signed-off-by: Simon Wang <[email protected]> Tested-by: Ashish Singhal <[email protected]> Reviewed-by: Ashish Singhal <[email protected]>
NVIDIA · Nov 13, 2024 · ac41b5b · ac41b5b
1 parent a1c3a2e
commit ac41b5b
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/Silicon/NVIDIA/Drivers/SequentialRecordStMm/SequentialRecordComm.c b/Silicon/NVIDIA/Drivers/SequentialRecordStMm/SequentialRecordComm.c
@@ -117,6 +117,7 @@ CmetMsgHandler (
   EFI_STATUS                  Status;
   RAS_MM_COMMUNICATE_PAYLOAD  *CmetHeader;
   UINT8                       *CmetPayload;
+  UINTN                       CmetPayloadSize;
 
   if ((CommBuffer == NULL) || (CommBufferSize == NULL)) {
     DEBUG ((DEBUG_ERROR, "%a: Communication buffer : %r\n", __FUNCTION__, EFI_INVALID_PARAMETER));
@@ -131,6 +132,8 @@ CmetMsgHandler (
   CmetHeader  = (RAS_MM_COMMUNICATE_PAYLOAD *)CommBuffer;
   CmetPayload = CmetHeader->Data;
 
+  CmetPayloadSize = *CommBufferSize - sizeof (RAS_MM_COMMUNICATE_PAYLOAD);
+
   if (CmetSeqProto == NULL) {
     DEBUG ((DEBUG_ERROR, "%a: No Storage support for Cmet Vars\n", __FUNCTION__));
     Status = EFI_UNSUPPORTED;
@@ -154,7 +157,7 @@ CmetMsgHandler (
                                CmetSeqProto,
                                CmetHeader->Socket,
                                (VOID *)CmetPayload,
-                               *CommBufferSize,
+                               CmetPayloadSize,
                                CmetHeader->Flag
                                );
       break;
@@ -163,7 +166,7 @@ CmetMsgHandler (
                                CmetSeqProto,
                                CmetHeader->Socket,
                                (VOID *)CmetPayload,
-                               *CommBufferSize,
+                               CmetPayloadSize,
                                CmetHeader->Flag
                                );
       break;
@@ -253,6 +256,7 @@ RasLogMsgHandler (
   EFI_STATUS                  Status;
   RAS_MM_COMMUNICATE_PAYLOAD  *RasHeader;
   UINT8                       *RasPayload;
+  UINTN                       RasPayloadSize;
 
   if ((CommBuffer == NULL) || (CommBufferSize == NULL)) {
     DEBUG ((DEBUG_ERROR, "%a: Communication buffer : %r\n", __FUNCTION__, EFI_INVALID_PARAMETER));
@@ -267,6 +271,8 @@ RasLogMsgHandler (
   RasHeader  = (RAS_MM_COMMUNICATE_PAYLOAD *)CommBuffer;
   RasPayload = RasHeader->Data;
 
+  RasPayloadSize = *CommBufferSize - sizeof (RasHeader);
+
   if (RasSeqProto == NULL) {
     DEBUG ((DEBUG_ERROR, "%a: No Storage support for RASLog\n", __FUNCTION__));
     Status = EFI_UNSUPPORTED;
@@ -290,15 +296,15 @@ RasLogMsgHandler (
                               RasSeqProto,
                               RasHeader->Socket,
                               (VOID *)RasPayload,
-                              *CommBufferSize
+                              RasPayloadSize
                               );
       break;
     case WRITE_NEXT_RECORD:
       Status = RasSeqProto->WriteNext (
                               RasSeqProto,
                               RasHeader->Socket,
                               (VOID *)RasPayload,
-                              *CommBufferSize
+                              RasPayloadSize
                               );
       RasHeader->Flag = RasLogOverrideTargets (RasPayload, RasHeader->Flag);
       break;