mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-07-08 20:31:57 +00:00
100 lines
3.3 KiB
Diff
100 lines
3.3 KiB
Diff
From f53af3805879292423465cd0877cc7a75131ce10 Mon Sep 17 00:00:00 2001
|
|
From: Siena Richard <sienar@codeaurora.org>
|
|
Date: Tue, 28 Feb 2017 12:52:30 -0800
|
|
Subject: drivers: soc: add size check
|
|
|
|
Add size check to ensure the payload fits inside the declared payload
|
|
size to prevent loss of data when copying.
|
|
|
|
CRs-Fixed: 2009224
|
|
Signed-off-by: Siena Richard <sienar@codeaurora.org>
|
|
Change-Id: I4275c626605272941143b54a7b8861b25f8e750a
|
|
---
|
|
drivers/soc/qcom/qdsp6v2/voice_svc.c | 49 +++++++++++++++++++++++++++++-------
|
|
1 file changed, 40 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
|
|
index fbd90bc..fe54589 100644
|
|
--- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
|
|
+++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
|
|
@@ -368,6 +368,9 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
|
|
struct voice_svc_prvt *prtd;
|
|
struct voice_svc_write_msg *data = NULL;
|
|
uint32_t cmd;
|
|
+ struct voice_svc_register *register_data = NULL;
|
|
+ struct voice_svc_cmd_request *request_data = NULL;
|
|
+ uint32_t request_payload_size;
|
|
|
|
pr_debug("%s\n", __func__);
|
|
|
|
@@ -416,12 +419,19 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
|
|
*/
|
|
if (count == (sizeof(struct voice_svc_write_msg) +
|
|
sizeof(struct voice_svc_register))) {
|
|
- ret = process_reg_cmd(
|
|
- (struct voice_svc_register *)data->payload, prtd);
|
|
+ register_data =
|
|
+ (struct voice_svc_register *)data->payload;
|
|
+ if (register_data == NULL) {
|
|
+ pr_err("%s: register data is NULL", __func__);
|
|
+ ret = -EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+ ret = process_reg_cmd(register_data, prtd);
|
|
if (!ret)
|
|
ret = count;
|
|
} else {
|
|
- pr_err("%s: invalid payload size\n", __func__);
|
|
+ pr_err("%s: invalid data payload size for register command\n",
|
|
+ __func__);
|
|
ret = -EINVAL;
|
|
goto done;
|
|
}
|
|
@@ -430,16 +440,37 @@ static ssize_t voice_svc_write(struct file *file, const char __user *buf,
|
|
/*
|
|
* Check that count reflects the expected size to ensure
|
|
* sufficient memory was allocated. Since voice_svc_cmd_request
|
|
- * has a variable size, check the minimum value count must be.
|
|
+ * has a variable size, check the minimum value count must be to
|
|
+ * parse the message request then check the minimum size to hold
|
|
+ * the payload of the message request.
|
|
*/
|
|
if (count >= (sizeof(struct voice_svc_write_msg) +
|
|
sizeof(struct voice_svc_cmd_request))) {
|
|
- ret = voice_svc_send_req(
|
|
- (struct voice_svc_cmd_request *)data->payload, prtd);
|
|
- if (!ret)
|
|
- ret = count;
|
|
+ request_data =
|
|
+ (struct voice_svc_cmd_request *)data->payload;
|
|
+ if (request_data == NULL) {
|
|
+ pr_err("%s: request data is NULL", __func__);
|
|
+ ret = -EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ request_payload_size = request_data->payload_size;
|
|
+
|
|
+ if (count >= (sizeof(struct voice_svc_write_msg) +
|
|
+ sizeof(struct voice_svc_cmd_request) +
|
|
+ request_payload_size)) {
|
|
+ ret = voice_svc_send_req(request_data, prtd);
|
|
+ if (!ret)
|
|
+ ret = count;
|
|
+ } else {
|
|
+ pr_err("%s: invalid request payload size\n",
|
|
+ __func__);
|
|
+ ret = -EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
} else {
|
|
- pr_err("%s: invalid payload size\n", __func__);
|
|
+ pr_err("%s: invalid data payload size for request command\n",
|
|
+ __func__);
|
|
ret = -EINVAL;
|
|
goto done;
|
|
}
|
|
--
|
|
cgit v1.1
|
|
|