From 3a4ebaac557a9e3fbcbab4561650abac8298a4d9 Mon Sep 17 00:00:00 2001
From: Satish Kodishala <skodisha@codeaurora.org>
Date: Thu, 10 Oct 2013 15:44:11 +0530
Subject: radio: iris: Checking if driver's buffer is large enough.

Checking if driver's buffer is large enough to copy
the data from user space.

Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82
CRs-fixed: 552329
Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>
---
 drivers/media/radio/radio-iris.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
index 5e056be..a9e25bd 100644
--- a/drivers/media/radio/radio-iris.c
+++ b/drivers/media/radio/radio-iris.c
@@ -3472,13 +3472,26 @@ static int iris_vidioc_s_ctrl(struct file *file, void *priv,
 		radio->riva_data_req.cmd_params.start_addr = ctrl->value;
 		break;
 	case V4L2_CID_PRIVATE_IRIS_RIVA_ACCS_LEN:
-		radio->riva_data_req.cmd_params.length = ctrl->value;
+		if ((ctrl->value > 0) &&
+			(ctrl->value <= MAX_RIVA_PEEK_RSP_SIZE)) {
+			radio->riva_data_req.cmd_params.length = ctrl->value;
+		} else {
+			FMDERR("Length %d is more than the buffer size %d\n",
+			ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
+			retval = -EINVAL;
+		}
 		break;
 	case V4L2_CID_PRIVATE_IRIS_RIVA_POKE:
-		memcpy(radio->riva_data_req.data, (void *)ctrl->value,
-					radio->riva_data_req.cmd_params.length);
-		radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
-		retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
+		if (radio->riva_data_req.cmd_params.length <= MAX_RIVA_PEEK_RSP_SIZE) {
+			memcpy(radio->riva_data_req.data, (void *)ctrl->value,
+						radio->riva_data_req.cmd_params.length);
+			radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
+			retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
+		} else {
+			FMDERR("Can not copy into driver's buffer. Length %d is more than"
+			 "the buffer size %d\n", ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
+			retval = -EINVAL;
+		}
 		break;
 	case V4L2_CID_PRIVATE_IRIS_SSBI_ACCS_ADDR:
 		radio->ssbi_data_accs.start_addr = ctrl->value;
-- 
cgit v1.1