mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-07-08 20:31:57 +00:00
84 lines
2.4 KiB
Diff
84 lines
2.4 KiB
Diff
From d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5 Mon Sep 17 00:00:00 2001
|
|
From: Amir Samuelov <amirs@codeaurora.org>
|
|
Date: Tue, 6 Dec 2016 18:18:16 +0200
|
|
Subject: spcom: check buf size for send modified command
|
|
|
|
Check buffer size validity before allocating kernel buffer.
|
|
|
|
CRs-Fixed: 1094140
|
|
Change-Id: I8c280b60f316d7bae87644104d18aa7df4af9efe
|
|
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
|
|
---
|
|
drivers/soc/qcom/spcom.c | 34 ++++++++++++++++++++++++++++++++++
|
|
1 file changed, 34 insertions(+)
|
|
|
|
diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
|
|
index 0c5f3b8..48f1157 100644
|
|
--- a/drivers/soc/qcom/spcom.c
|
|
+++ b/drivers/soc/qcom/spcom.c
|
|
@@ -1407,6 +1407,11 @@ static int modify_ion_addr(void *buf,
|
|
return -ENODEV;
|
|
}
|
|
|
|
+ if (buf_size < sizeof(uint64_t)) {
|
|
+ pr_err("buf size too small [%d].\n", buf_size);
|
|
+ return -ENODEV;
|
|
+ }
|
|
+
|
|
if (buf_offset > buf_size - sizeof(uint64_t)) {
|
|
pr_err("invalid buf_offset [%d].\n", buf_offset);
|
|
return -ENODEV;
|
|
@@ -1469,6 +1474,16 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,
|
|
|
|
pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);
|
|
|
|
+ /*
|
|
+ * check that cmd buf size is at least struct size,
|
|
+ * to allow access to struct fields.
|
|
+ */
|
|
+ if (size < sizeof(*cmd)) {
|
|
+ pr_err("ch [%s] invalid cmd buf.\n",
|
|
+ ch->name);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
/* Check if remote side connect */
|
|
if (!spcom_is_channel_connected(ch)) {
|
|
pr_err("ch [%s] remote side not connect.\n", ch->name);
|
|
@@ -1481,6 +1496,18 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,
|
|
timeout_msec = cmd->timeout_msec;
|
|
memcpy(ion_info, cmd->ion_info, sizeof(ion_info));
|
|
|
|
+ /* Check param validity */
|
|
+ if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {
|
|
+ pr_err("ch [%s] invalid buf size [%d].\n",
|
|
+ ch->name, buf_size);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ if (size != sizeof(*cmd) + buf_size) {
|
|
+ pr_err("ch [%s] invalid cmd size [%d].\n",
|
|
+ ch->name, size);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
/* Allocate Buffers*/
|
|
tx_buf_size = sizeof(*hdr) + buf_size;
|
|
tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);
|
|
@@ -1746,6 +1773,13 @@ static int spcom_handle_read_req_resp(struct spcom_channel *ch,
|
|
return -ENOTCONN;
|
|
}
|
|
|
|
+ /* Check param validity */
|
|
+ if (size > SPCOM_MAX_RESPONSE_SIZE) {
|
|
+ pr_err("ch [%s] inavlid size [%d].\n",
|
|
+ ch->name, size);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
/* Allocate Buffers*/
|
|
rx_buf_size = sizeof(*hdr) + size;
|
|
rx_buf = kzalloc(rx_buf_size, GFP_KERNEL);
|
|
--
|
|
cgit v1.1
|
|
|