virtio: rng: Check length before copying

Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>

diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c
index 9314c0a..b85545c 100644 (file)
--- a/drivers/virtio/virtio_rng.c
+++ b/drivers/virtio/virtio_rng.c
@@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len)
                while (!virtqueue_get_buf(priv->rng_vq, &rsize))
                        ;
 
+               if (rsize > sg.length)
+                       return -EIO;
+
                memcpy(ptr, buf, rsize);
                len -= rsize;
                ptr += rsize;