SPDM - enhance the payload size check upon receiving

IntelCaisui · IntelCaisui · commit 227199c074e6 · 2025-11-21T14:27:28.000+08:00
Enhance the payload size check in SPDM receive function to prevent
  buffer overflow and interger overflow.
diff --git a/src/migtd/src/spdm/mod.rs b/src/migtd/src/spdm/mod.rs
@@ -62,6 +62,10 @@ impl<T: AsyncRead + AsyncWrite + Unpin> SpdmDeviceIo for MigtdTransport<T> {
         buffer: Arc<Mutex<&mut [u8]>>,
         _timeout: usize,
     ) -> Result<usize, usize> {
+        if buffer.lock().len() < VMCALL_SPDM_MESSAGE_HEADER_SIZE {
+            return Err(0_usize);
+        }
+
         let mut buffer = buffer.lock();
         let mut recvd = 0;
         while recvd < VMCALL_SPDM_MESSAGE_HEADER_SIZE {
@@ -78,7 +82,7 @@ impl<T: AsyncRead + AsyncWrite + Unpin> SpdmDeviceIo for MigtdTransport<T> {
             vmcall_msg::VmCallMessageHeader::read(&mut reader).ok_or(0_usize)?;
         let payload_size = vmcall_msg_header.length as usize;
 
-        if buffer.len() < payload_size + VMCALL_SPDM_MESSAGE_HEADER_SIZE {
+        if payload_size > buffer.len() - VMCALL_SPDM_MESSAGE_HEADER_SIZE {
             return Err(0_usize);
         }
 
