Mailbox: Avoid possible out-of-range write

UEWBot · Anton-TF · commit f604dfaf8b59 · 2026-05-15T10:11:24.000Z
tfm_mailbox_hal_init() should ensure that spe_mailbox_queue.ns_slot_count
is always &lt;= NUM_MAILBOX_QUEUE_SLOT, but it's safest to also check
before writing to the spe_mailbox_queue.queue[] array.

Signed-off-by: Chris Brand &lt;chris.brand@cypress.com&gt;
Change-Id: I67e03295df0989a125c1f2460fd086c1a8688c43
diff --git a/secure_fw/partitions/ns_agent_mailbox/tfm_spe_mailbox.c b/secure_fw/partitions/ns_agent_mailbox/tfm_spe_mailbox.c
@@ -369,7 +369,9 @@ int32_t tfm_mailbox_handle_msg(void)
         return MAILBOX_NO_PEND_EVENT;
     }
 
-    for (idx = 0; idx < spe_mailbox_queue.ns_slot_count; idx++) {
+    for (idx = 0;
+         (idx < spe_mailbox_queue.ns_slot_count) && (idx < NUM_MAILBOX_QUEUE_SLOT);
+         idx++) {
         mask_bits = (1 << idx);
         /* Check if current NSPE mailbox queue slot is pending for handling */
         if (!(pend_slots & mask_bits)) {
