From b4e374926ddc325840cda704aea1eb0c49d7f0e3 Mon Sep 17 00:00:00 2001 From: Skylar Chang Date: Wed, 30 Nov 2016 14:41:24 -0800 Subject: msm: ipa: fix the potential heap overflow on wan-driver Add the check on rmnet_ipa3_set_tether_client_pipe API to make sure not accessing move than QMI_IPA_MAX_PIPES_V01 entries when user-space module compromised. Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962 Signed-off-by: Skylar Chang --- drivers/platform/msm/ipa/rmnet_ipa.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c index ddae8c5..c274ee1 100644 --- a/drivers/platform/msm/ipa/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/rmnet_ipa.c @@ -2426,7 +2426,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data) * * Return codes: * 0: Success - * -EFAULT: Invalid interface name provided + * -EFAULT: Invalid src/dst pipes provided * other: See ipa_qmi_set_data_quota */ int rmnet_ipa_set_tether_client_pipe( @@ -2434,6 +2434,23 @@ int rmnet_ipa_set_tether_client_pipe( { int number, i; + /* error checking if ul_src_pipe_len valid or not*/ + if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 || + data->ul_src_pipe_len < 0) { + IPAWANERR("UL src pipes %d exceeding max %d\n", + data->ul_src_pipe_len, + QMI_IPA_MAX_PIPES_V01); + return -EFAULT; + } + /* error checking if dl_dst_pipe_len valid or not*/ + if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 || + data->dl_dst_pipe_len < 0) { + IPAWANERR("DL dst pipes %d exceeding max %d\n", + data->dl_dst_pipe_len, + QMI_IPA_MAX_PIPES_V01); + return -EFAULT; + } + IPAWANDBG("client %d, UL %d, DL %d, reset %d\n", data->ipa_client, data->ul_src_pipe_len, -- cgit v1.1