From 717f8e0474db9556135a9439916d5c4fa7781589 Mon Sep 17 00:00:00 2001
From: Marcos Pernambuco Motta <1091485+mpernambuco@users.noreply.github.com>
Date: Thu, 24 Oct 2024 12:34:31 -0300
Subject: [PATCH] chore: improve send_cmio_response bounds checking

---
 CHANGELOG.md               | 1 +
 src/send-cmio-response.cpp | 5 ++++-
 tests/lua/machine-bind.lua | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00158e821..778227c19 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Added a "--jobs" option to "uarch-riscv-tests.lua" test
 - add-created-files.diff should now be applied with `-p1`
+- Improved send_cmio_response bounds checking
 
 ### Fixed
 - Fixed --skip-root-hash-store not skipping root hash computation when using the cli
diff --git a/src/send-cmio-response.cpp b/src/send-cmio-response.cpp
index f791c3ca7..941d39571 100644
--- a/src/send-cmio-response.cpp
+++ b/src/send-cmio-response.cpp
@@ -40,11 +40,14 @@ void send_cmio_response(STATE_ACCESS &a, uint16 reason, bytes data, uint32 dataL
         // Find the write length: the smallest power of 2 that is >= dataLength and >= tree leaf size
         uint32 writeLengthLog2Size = uint32Log2(dataLength);
         if (writeLengthLog2Size < machine_merkle_tree::get_log2_word_size()) {
-            writeLengthLog2Size = 5; // minimum write size is the tree leaf size
+            writeLengthLog2Size = machine_merkle_tree::get_log2_word_size(); // minimum write size is the tree leaf size
         }
         if (uint32ShiftLeft(1, writeLengthLog2Size) < dataLength) {
             writeLengthLog2Size += 1;
         }
+        if (writeLengthLog2Size > PMA_CMIO_RX_BUFFER_LOG2_SIZE) {
+            throwRuntimeError(a, "CMIO response data is too large");
+        }
         writeMemoryWithPadding(a, PMA_CMIO_RX_BUFFER_START, data, dataLength, writeLengthLog2Size);
     }
     // Write data length and reason to fromhost
diff --git a/tests/lua/machine-bind.lua b/tests/lua/machine-bind.lua
index 2f56d3d56..8eda5b42c 100755
--- a/tests/lua/machine-bind.lua
+++ b/tests/lua/machine-bind.lua
@@ -1278,10 +1278,10 @@ do_test("send_cmio_response fails if data is too big", function(machine)
     local reason = 1
     local data_too_big = string.rep("a", 1 + (1 << cartesi.PMA_CMIO_RX_BUFFER_LOG2_SIZE))
     machine:set_iflags_Y()
-    test_util.assert_error("address range not entirely in memory PMA", function()
+    test_util.assert_error("CMIO response data is too large", function()
         machine:send_cmio_response(reason, data_too_big)
     end)
-    test_util.assert_error("address range not entirely in memory PMA", function()
+    test_util.assert_error("CMIO response data is too large", function()
         machine:log_send_cmio_response(reason, data_too_big, {})
     end)
 end)