commit f06b52366f40bfbda7e69a84447d2c5bca4c7d73
author Daniel Boulby <daniel.boulby@arm.com> Thu Feb 22 16:26:43 2024 +0000
committer Joao Alves <joao.alves@arm.com> Tue Mar 05 16:38:02 2024 +0100
tree f5e131f79521a8dab2bcdb00a4b67b92bd73b47a
parent 5e425040abf468e0e82615f7185cd9ab5f755ace

fix(mem sharing): return error if receiver count is 0

Previously we were only checking the receivers count in the memory
region descriptor was less than the maximum share recipients but not
that it wasn't 0. This meant the assert on line 581 of ffa_memory.c
could fail if the receiver count was 0. To avoid tripping the assert,
and instead gracefully return FFA_ERROR in this case, expand the
previous receiver count check to include the 0 case.

This patch also tidies up the accessing the receivers for v1.0 memory
access descriptors.

Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Change-Id: I81a53247e52333e17451773cf22f89f06359b9fd

src/ffa_memory.c

diff --git a/src/ffa_memory.c b/src/ffa_memory.c
index cddaa02..164cb77 100644
--- a/src/ffa_memory.c
+++ b/src/ffa_memory.c
@@ -520,10 +520,10 @@
 	uint32_t receiver_count;
 	struct ffa_memory_access *receiver;
 	uint32_t composite_offset_0;
+	struct ffa_memory_region_v1_0 *memory_region_v1_0 =
+		(struct ffa_memory_region_v1_0 *)memory_region;
 
 	if (ffa_version == MAKE_FFA_VERSION(1, 0)) {
-		struct ffa_memory_region_v1_0 *memory_region_v1_0 =
-			(struct ffa_memory_region_v1_0 *)memory_region;
 		/* Check the reserved fields are 0. */
 		if (memory_region_v1_0->reserved_0 != 0 ||
 		    memory_region_v1_0->reserved_1 != 0) {
@@ -563,9 +563,9 @@
 	}
 
 	/* Check receiver count is not too large. */
-	if (receiver_count > MAX_MEM_SHARE_RECIPIENTS) {
+	if (receiver_count > MAX_MEM_SHARE_RECIPIENTS || receiver_count < 1) {
 		dlog_verbose(
-			"Max number of recipients supported is %u "
+			"Receiver count must be 0 < receiver_count < %u "
 			"specified %u\n",
 			MAX_MEM_SHARE_RECIPIENTS, receiver_count);
 		return false;
@@ -577,9 +577,7 @@
 	 * check the first one is valid and then they are all the same.
 	 */
 	receiver = ffa_version == MAKE_FFA_VERSION(1, 0)
-			   ? (struct ffa_memory_access *)&(
-				     (struct ffa_memory_region_v1_0 *)
-					     memory_region)
+			   ? (struct ffa_memory_access *)&memory_region_v1_0
 				     ->receivers[0]
 			   : ffa_memory_region_get_receiver(memory_region, 0);
 	assert(receiver != NULL);
@@ -620,9 +618,6 @@
 		uint32_t composite_offset;
 
 		if (ffa_version == MAKE_FFA_VERSION(1, 0)) {
-			struct ffa_memory_region_v1_0 *memory_region_v1_0 =
-				(struct ffa_memory_region_v1_0 *)memory_region;
-
 			struct ffa_memory_access_v1_0 *receiver_v1_0 =
 				&memory_region_v1_0->receivers[i];
 			/* Check reserved fields are 0 */