chore: clarify intent with sanity checks
Add doc comments to clarify that out-of-bounds accesses
are not possible due to the sanity checks.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I1918cd397ce8fa0521752fccfcb67e22d4ee7668
diff --git a/src/api.c b/src/api.c
index 1d33778..bc58cbb 100644
--- a/src/api.c
+++ b/src/api.c
@@ -3464,7 +3464,6 @@
dlog_verbose("Failed to allocate memory region copy.\n");
return ffa_error(FFA_NO_MEMORY);
}
- memory_region = allocated_entry;
if (!memcpy_trapped(allocated_entry, MM_PPOOL_ENTRY_SIZE, from_msg,
fragment_length)) {
@@ -3475,6 +3474,10 @@
goto out;
}
+ /*
+ * Out-of-bounds accesses should be eliminated by the sanity checks
+ * below.
+ */
if (!ffa_memory_region_sanity_check(allocated_entry, ffa_version,
fragment_length, true)) {
ret = ffa_error(FFA_INVALID_PARAMETERS);
@@ -3487,6 +3490,8 @@
goto out;
}
+ memory_region = allocated_entry;
+
if (fragment_length < sizeof(struct ffa_memory_region) +
memory_region->memory_access_desc_size) {
dlog_verbose(
@@ -3695,6 +3700,11 @@
}
if (!is_ffa_hypervisor_retrieve_request(retrieve_msg)) {
+ /*
+ * The checks from function below should guarantee there are no
+ * invalid values, and the accesses that follow can't be out of
+ * bounds.
+ */
if (!ffa_memory_region_sanity_check(retrieve_msg, ffa_version,
fragment_length, false)) {
ret = ffa_error(FFA_INVALID_PARAMETERS);