Google Git
Sign in
android/trusty/lk/trusty/d9b56a6a147537dbf63651753f0b7e1473e3e72f^!/.
commit
d9b56a6a147537dbf63651753f0b7e1473e3e72f
[log] [tgz]
author
Arve Hjønnevåg <arve@android.com>
Tue Feb 25 18:02:29 2025 -0800
committer
Arve Hjønnevåg <arve@android.com>
Fri Feb 28 19:30:43 2025 -0800
tree
a187df6035202af1bc2f75eb04e548890cafda94
parent
26df3487fa8fc930ca5d00154df8e90686b8a8b8 [diff]
trusty: ql_tipc: Re-fix random stuck boottests

42d5ab78c61a145d3a6c91564723251fc5b8b43a broke
QL_TIPC_DEV_FC_HAS_EVENT by adding a parameter check that will never
pass.
1. The payload_len passed into this call was 0 since no data was passed
   in.
2. The check compared the payload_len to the return payload_len plus the
   header size which is not part of payload_len.

Remove the check. Alternatively we could check that payload_len is 0,
but I don't know of any client code has been modified to pass in the
incorrect value that the code was checking for.

Bug: 142284039
Change-Id: I22e8910445cff3e1758bd07ad9d619c2ba434a87

diff --git a/lib/trusty/tipc_dev_ql.c b/lib/trusty/tipc_dev_ql.c
index ecc58b7..31d4299 100644
--- a/lib/trusty/tipc_dev_ql.c
+++ b/lib/trusty/tipc_dev_ql.c

@@ -485,8 +485,15 @@
                           uint32_t target) {
     const int opcode = QL_TIPC_DEV_FC_HAS_EVENT;
 
-    if (ns_sz < (sizeof(struct tipc_cmd_hdr) + sizeof(bool)) ||
-        ns_sz > dev->ns_sz) {
+    /*
+     * Ignore ns_sz. The client sets payload_len to 0 since the payload is
+     * only used to return data, no data is passed in.
+     *
+     * Check that buffer is large enough for the response, even though this
+     * check can't fail with the current struct size, since dev->ns_sz has
+     * already been checked to be page aligned and non-0.
+     */
+    if ((sizeof(struct tipc_cmd_hdr) + sizeof(bool)) > dev->ns_sz) {
         return set_status(dev, opcode, ERR_INVALID_ARGS, 0);
     }