From ac8242269094729c464ac042a58603e01427e509 Mon Sep 17 00:00:00 2001 From: Rajakumar Govindaram Date: Thu, 15 Sep 2016 17:09:40 -0700 Subject: msm: camera: cpp: Validate frame message before manipulating it. CPP frame message is used to send all frame data to Microcontroller. It is sent every frame. CPP kernel driver has to add information to it before transfer it. The message has to be validated before manipulations. If it is not valid the message and corresponding frame are discarded. b/30074605 CRs-Fixed: 1049826 Change-Id: I3e11ca7f6df4bb0d928512f81f3e3dc40fed791a Signed-off-by: Rajakumar Govindaram --- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 26 ++++++++++------------ 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c index 964703c..7874cf6 100644 --- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c @@ -2184,21 +2184,19 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev, return -EINVAL; } - if (!new_frame->partial_frame_indicator) { - if (cpp_frame_msg[new_frame->msg_len - 1] != - MSM_CPP_MSG_ID_TRAILER) { - pr_err("Invalid frame message\n"); - return -EINVAL; - } + if (cpp_frame_msg[new_frame->msg_len - 1] != + MSM_CPP_MSG_ID_TRAILER) { + pr_err("Invalid frame message\n"); + return -EINVAL; + } - if ((stripe_base + new_frame->num_strips * stripe_size + 1) != - new_frame->msg_len) { - pr_err("Invalid frame message,len=%d,expected=%d\n", - new_frame->msg_len, - (stripe_base + - new_frame->num_strips * stripe_size + 1)); - return -EINVAL; - } + if ((stripe_base + new_frame->num_strips * stripe_size + 1) != + new_frame->msg_len) { + pr_err("Invalid frame message,len=%d,expected=%d\n", + new_frame->msg_len, + (stripe_base + + new_frame->num_strips * stripe_size + 1)); + return -EINVAL; } if (cpp_dev->iommu_state != CPP_IOMMU_STATE_ATTACHED) { -- cgit v1.1