fwctl: pds: Validate RPC input size before parsing

The fwctl core allocates the device-specific RPC input buffer with fwctl_rpc.in_len and passes that buffer to the driver callback. pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls pdsfc_validate_rpc(), which reads fields from that structure before checking that the input buffer is large enough to contain it. A short in_len can make pds_fwctl read beyond the allocation. Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before parsing any pds-specific fields. Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support") Link: https://patch.msgid.link/r/20260517062232.1858747-1-gganji11@naver.com Cc: stable@vger.kernel.org # v6.15+ Signed-off-by: Heechan Kang <gganji11@naver.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
author: Heechan Kang <gganji11@naver.com> 2026-05-17 15:22:32 +0900
committer: Jason Gunthorpe <jgg@nvidia.com> 2026-05-19 10:44:32 -0300
commit: e7537735028c3ad4b0bfc02ff8fa2a1a28aa04fe (patch)
tree: c69991aaf8b9965b3ff82509214d727dcf888f6f
parent: 5200f5f493f79f14bbdc349e402a40dfb32f23c8 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c
index 08872ee8422f..68fe254dd10a 100644
--- a/drivers/fwctl/pds/main.c
+++ b/drivers/fwctl/pds/main.c
@@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum fwctl_rpc_scope scope,
 	void *out = NULL;
 	int err;
 
+	if (in_len < sizeof(*rpc))
+		return ERR_PTR(-EINVAL);
+
 	err = pdsfc_validate_rpc(pdsfc, rpc, scope);
 	if (err)
 		return ERR_PTR(err);
author	Heechan Kang <gganji11@naver.com>	2026-05-17 15:22:32 +0900
committer	Jason Gunthorpe <jgg@nvidia.com>	2026-05-19 10:44:32 -0300
commit	e7537735028c3ad4b0bfc02ff8fa2a1a28aa04fe (patch)
tree	c69991aaf8b9965b3ff82509214d727dcf888f6f
parent	5200f5f493f79f14bbdc349e402a40dfb32f23c8 (diff)