OpenSBI fdt_mailbox_rpmi_shmem.c copies reg-names into fixed 16-byte queue names without bounds checks #417
Description
Title: OpenSBI fdt_mailbox_rpmi_shmem.c copies reg-names into fixed 16-byte queue names without bounds checks
Current upstream OpenSBI master still copies device-tree reg-names strings into a fixed-size queue-name buffer without validating the length first. In lib/utils/mailbox/fdt_mailbox_rpmi_shmem.c, rpmi_shmem_mbox_init() gets each queue name with fdt_stringlist_get(fdt, nodeoff, "reg-names", qid, &len) and then copies it directly with:
sbi_memcpy(qctx->name, name, len);
The destination is struct smq_queue_ctx::name, which is defined as char name[RPMI_NAME_CHARS_MAX], and RPMI_NAME_CHARS_MAX is 16 in include/sbi_utils/mailbox/rpmi_msgprot.h. The only check before the copy is that the property exists and that len is non-negative. There is no check that len fits in the 16-byte destination and no explicit NUL-termination step.
Because qctx is one entry inside the queue_ctx_tbl array, an oversized reg-names entry can overwrite the following members of that struct, including headptr, tailptr, buffer, and queue_id, before the mailbox controller is fully initialized. This makes the bug more than a cosmetic string issue; it is a real memory corruption condition during device-tree parsing.
Expected behavior: the code should reject or clamp reg-names values so that queue names fit in RPMI_NAME_CHARS_MAX and remain NUL-terminated.
Actual behavior: the code copies the full device-tree string length into the fixed 16-byte field with no local bound.