mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
85 lines
2.8 KiB
Diff
85 lines
2.8 KiB
Diff
From ffacf6e2dc41b6063c3564791ed7a2f903e7e3b7 Mon Sep 17 00:00:00 2001
|
|
From: Skylar Chang <chiaweic@codeaurora.org>
|
|
Date: Wed, 30 Nov 2016 14:41:24 -0800
|
|
Subject: msm: ipa: fix the potential heap overflow on wan-driver
|
|
|
|
Add the check on rmnet_ipa3_set_tether_client_pipe API
|
|
to make sure not accessing move than QMI_IPA_MAX_PIPES_V01
|
|
entries when user-space module compromised.
|
|
|
|
Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
|
|
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
|
|
---
|
|
drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 19 ++++++++++++++++++-
|
|
drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 17 +++++++++++++++++
|
|
2 files changed, 35 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
|
|
index f81d637..2c43fc52 100644
|
|
--- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
|
|
+++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
|
|
@@ -2507,7 +2507,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
|
|
*
|
|
* Return codes:
|
|
* 0: Success
|
|
- * -EFAULT: Invalid interface name provided
|
|
+ * -EFAULT: Invalid src/dst pipes provided
|
|
* other: See ipa_qmi_set_data_quota
|
|
*/
|
|
int rmnet_ipa_set_tether_client_pipe(
|
|
@@ -2515,6 +2515,23 @@ int rmnet_ipa_set_tether_client_pipe(
|
|
{
|
|
int number, i;
|
|
|
|
+ /* error checking if ul_src_pipe_len valid or not*/
|
|
+ if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
|
|
+ data->ul_src_pipe_len < 0) {
|
|
+ IPAWANERR("UL src pipes %d exceeding max %d\n",
|
|
+ data->ul_src_pipe_len,
|
|
+ QMI_IPA_MAX_PIPES_V01);
|
|
+ return -EFAULT;
|
|
+ }
|
|
+ /* error checking if dl_dst_pipe_len valid or not*/
|
|
+ if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
|
|
+ data->dl_dst_pipe_len < 0) {
|
|
+ IPAWANERR("DL dst pipes %d exceeding max %d\n",
|
|
+ data->dl_dst_pipe_len,
|
|
+ QMI_IPA_MAX_PIPES_V01);
|
|
+ return -EFAULT;
|
|
+ }
|
|
+
|
|
IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
|
|
data->ipa_client,
|
|
data->ul_src_pipe_len,
|
|
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
|
|
index 4ed2728..78187c9 100644
|
|
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
|
|
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
|
|
@@ -2607,6 +2607,23 @@ int rmnet_ipa3_set_tether_client_pipe(
|
|
{
|
|
int number, i;
|
|
|
|
+ /* error checking if ul_src_pipe_len valid or not*/
|
|
+ if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
|
|
+ data->ul_src_pipe_len < 0) {
|
|
+ IPAWANERR("UL src pipes %d exceeding max %d\n",
|
|
+ data->ul_src_pipe_len,
|
|
+ QMI_IPA_MAX_PIPES_V01);
|
|
+ return -EFAULT;
|
|
+ }
|
|
+ /* error checking if dl_dst_pipe_len valid or not*/
|
|
+ if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
|
|
+ data->dl_dst_pipe_len < 0) {
|
|
+ IPAWANERR("DL dst pipes %d exceeding max %d\n",
|
|
+ data->dl_dst_pipe_len,
|
|
+ QMI_IPA_MAX_PIPES_V01);
|
|
+ return -EFAULT;
|
|
+ }
|
|
+
|
|
IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
|
|
data->ipa_client,
|
|
data->ul_src_pipe_len,
|
|
--
|
|
cgit v1.1
|
|
|