mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From b1bc773cf61265e0e3871b2e52bd6b3270ffc6c3 Mon Sep 17 00:00:00 2001
|
|
From: Zhen Kong <zkong@codeaurora.org>
|
|
Date: Thu, 27 Mar 2014 12:44:15 -0700
|
|
Subject: qseecom: Validate pointer offset in qseecom_send_modfd_cmd
|
|
|
|
Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
|
|
make sure cmd buffer address to be within shared bufffer.
|
|
|
|
Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
|
|
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
|
|
---
|
|
drivers/misc/qseecom.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
|
|
index 5d2b64c..bce4994 100644
|
|
--- a/drivers/misc/qseecom.c
|
|
+++ b/drivers/misc/qseecom.c
|
|
@@ -1635,6 +1635,13 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
|
|
pr_err("response buffer address not within shared bufffer\n");
|
|
return -EINVAL;
|
|
}
|
|
+
|
|
+ if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||
|
|
+ req.resp_len > data->client.sb_length) {
|
|
+ pr_err("cmd or response buffer length not valid\n");
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
send_cmd_req.cmd_req_buf = req.cmd_req_buf;
|
|
send_cmd_req.cmd_req_len = req.cmd_req_len;
|
|
send_cmd_req.resp_buf = req.resp_buf;
|
|
--
|
|
cgit v1.1
|
|
|