mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-10 16:34:22 -05:00
107 lines
3.4 KiB
Diff
107 lines
3.4 KiB
Diff
|
From ececf97911515114030bef1fc6df630dbb706f17 Mon Sep 17 00:00:00 2001
|
||
|
From: Siena Richard <sienar@codeaurora.org>
|
||
|
Date: Tue, 28 Feb 2017 12:52:30 -0800
|
||
|
Subject: drivers: soc: add size check
|
||
|
|
||
|
Add size check to ensure the payload fits inside the declared payload
|
||
|
size to prevent loss of data when copying.
|
||
|
|
||
|
CRs-Fixed: 2009224
|
||
|
Signed-off-by: Siena Richard <sienar@codeaurora.org>
|
||
|
Change-Id: I4275c626605272941143b54a7b8861b25f8e750a
|
||
|
---
|
||
|
drivers/soc/qcom/qdsp6v2/voice_svc.c | 57 ++++++++++++++++++++++++++++--------
|
||
|
1 file changed, 44 insertions(+), 13 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
|
||
|
index 10f71b8..fe54589 100644
|
||
|
--- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
|
||
|
+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
|
||
|
@@ -368,6 +368,9 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
|
||
|
struct voice_svc_prvt *prtd;
|
||
|
struct voice_svc_write_msg *data = NULL;
|
||
|
uint32_t cmd;
|
||
|
+ struct voice_svc_register *register_data = NULL;
|
||
|
+ struct voice_svc_cmd_request *request_data = NULL;
|
||
|
+ uint32_t request_payload_size;
|
||
|
|
||
|
pr_debug("%s\n", __func__);
|
||
|
|
||
|
@@ -416,12 +419,19 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
|
||
|
*/
|
||
|
if (count == (sizeof(struct voice_svc_write_msg) +
|
||
|
sizeof(struct voice_svc_register))) {
|
||
|
- ret = process_reg_cmd(
|
||
|
- (struct voice_svc_register *)data->payload, prtd);
|
||
|
+ register_data =
|
||
|
+ (struct voice_svc_register *)data->payload;
|
||
|
+ if (register_data == NULL) {
|
||
|
+ pr_err("%s: register data is NULL", __func__);
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ ret = process_reg_cmd(register_data, prtd);
|
||
|
if (!ret)
|
||
|
ret = count;
|
||
|
} else {
|
||
|
- pr_err("%s: invalid payload size\n", __func__);
|
||
|
+ pr_err("%s: invalid data payload size for register command\n",
|
||
|
+ __func__);
|
||
|
ret = -EINVAL;
|
||
|
goto done;
|
||
|
}
|
||
|
@@ -430,19 +440,40 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
|
||
|
/*
|
||
|
* Check that count reflects the expected size to ensure
|
||
|
* sufficient memory was allocated. Since voice_svc_cmd_request
|
||
|
- * has a variable size, check the minimum value count must be.
|
||
|
+ * has a variable size, check the minimum value count must be to
|
||
|
+ * parse the message request then check the minimum size to hold
|
||
|
+ * the payload of the message request.
|
||
|
*/
|
||
|
if (count >= (sizeof(struct voice_svc_write_msg) +
|
||
|
sizeof(struct voice_svc_cmd_request))) {
|
||
|
- ret = voice_svc_send_req(
|
||
|
- (struct voice_svc_cmd_request *)data->payload, prtd);
|
||
|
- if (!ret)
|
||
|
- ret = count;
|
||
|
- } else {
|
||
|
- pr_err("%s: invalid payload size\n", __func__);
|
||
|
- ret = -EINVAL;
|
||
|
- goto done;
|
||
|
- }
|
||
|
+ request_data =
|
||
|
+ (struct voice_svc_cmd_request *)data->payload;
|
||
|
+ if (request_data == NULL) {
|
||
|
+ pr_err("%s: request data is NULL", __func__);
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
+ request_payload_size = request_data->payload_size;
|
||
|
+
|
||
|
+ if (count >= (sizeof(struct voice_svc_write_msg) +
|
||
|
+ sizeof(struct voice_svc_cmd_request) +
|
||
|
+ request_payload_size)) {
|
||
|
+ ret = voice_svc_send_req(request_data, prtd);
|
||
|
+ if (!ret)
|
||
|
+ ret = count;
|
||
|
+ } else {
|
||
|
+ pr_err("%s: invalid request payload size\n",
|
||
|
+ __func__);
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ } else {
|
||
|
+ pr_err("%s: invalid data payload size for request command\n",
|
||
|
+ __func__);
|
||
|
+ ret = -EINVAL;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
break;
|
||
|
default:
|
||
|
pr_debug("%s: Invalid command: %u\n", __func__, cmd);
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|