From b1bc773cf61265e0e3871b2e52bd6b3270ffc6c3 Mon Sep 17 00:00:00 2001 From: Zhen Kong Date: Thu, 27 Mar 2014 12:44:15 -0700 Subject: qseecom: Validate pointer offset in qseecom_send_modfd_cmd Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and make sure cmd buffer address to be within shared bufffer. Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97 Signed-off-by: Zhen Kong --- drivers/misc/qseecom.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c index 5d2b64c..bce4994 100644 --- a/drivers/misc/qseecom.c +++ b/drivers/misc/qseecom.c @@ -1635,6 +1635,13 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data, pr_err("response buffer address not within shared bufffer\n"); return -EINVAL; } + + if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length || + req.resp_len > data->client.sb_length) { + pr_err("cmd or response buffer length not valid\n"); + return -EINVAL; + } + send_cmd_req.cmd_req_buf = req.cmd_req_buf; send_cmd_req.cmd_req_len = req.cmd_req_len; send_cmd_req.resp_buf = req.resp_buf; -- cgit v1.1