From b4e374926ddc325840cda704aea1eb0c49d7f0e3 Mon Sep 17 00:00:00 2001
From: Skylar Chang <chiaweic@codeaurora.org>
Date: Wed, 30 Nov 2016 14:41:24 -0800
Subject: msm: ipa: fix the potential heap overflow on wan-driver

Add the check on rmnet_ipa3_set_tether_client_pipe API
to make sure not accessing move than QMI_IPA_MAX_PIPES_V01
entries when user-space module compromised.

Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
---
 drivers/platform/msm/ipa/rmnet_ipa.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
index ddae8c5..c274ee1 100644
--- a/drivers/platform/msm/ipa/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
@@ -2426,7 +2426,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
  *
  * Return codes:
  * 0: Success
- * -EFAULT: Invalid interface name provided
+ * -EFAULT: Invalid src/dst pipes provided
  * other: See ipa_qmi_set_data_quota
  */
 int rmnet_ipa_set_tether_client_pipe(
@@ -2434,6 +2434,23 @@ int rmnet_ipa_set_tether_client_pipe(
 {
 	int number, i;
 
+	/* error checking if ul_src_pipe_len valid or not*/
+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->ul_src_pipe_len < 0) {
+		IPAWANERR("UL src pipes %d exceeding max %d\n",
+			data->ul_src_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+	/* error checking if dl_dst_pipe_len valid or not*/
+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->dl_dst_pipe_len < 0) {
+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
+			data->dl_dst_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+
 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
 	data->ipa_client,
 	data->ul_src_pipe_len,
-- 
cgit v1.1