mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
|
From c257f35acc3841f7b99730f01ba834c0575030de Mon Sep 17 00:00:00 2001
|
||
|
From: Biswajit Paul <biswajitpaul@codeaurora.org>
|
||
|
Date: Fri, 2 Dec 2016 12:54:53 -0800
|
||
|
Subject: [PATCH] msm: ADSPRPC: Buffer length truncated while validation
|
||
|
|
||
|
The buffer length that is being used to validate gets truncated
|
||
|
due to it being assigned to wrong type causing invalid memory
|
||
|
to be accessed when the actual buffer length is used to copy
|
||
|
user buffer contents.
|
||
|
|
||
|
Bug: 31695439
|
||
|
CRs-Fixed: 1086123
|
||
|
Change-Id: If04dee27b8bae04eef7455773d9f4327fd008a21
|
||
|
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
|
||
|
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
|
||
|
---
|
||
|
drivers/char/adsprpc.c | 3 ++-
|
||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
|
||
|
index f99855c0cacf5..53396b7839497 100644
|
||
|
--- a/drivers/char/adsprpc.c
|
||
|
+++ b/drivers/char/adsprpc.c
|
||
|
@@ -719,7 +719,8 @@ static int get_page_list(uint32_t kernel, struct smq_invoke_ctx *ctx)
|
||
|
pgstart->size = obuf->size;
|
||
|
for (i = 0; i < inbufs + outbufs; ++i) {
|
||
|
void *buf;
|
||
|
- int len, num;
|
||
|
+ int num;
|
||
|
+ ssize_t len;
|
||
|
|
||
|
list[i].num = 0;
|
||
|
list[i].pgidx = 0;
|