diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2016-12-13 12:17:55 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-12-13 12:17:55 -0800 |
| commit | 10114703d2d1073ba4268ec732cceed2245e5fc0 (patch) | |
| tree | 02c0fbfdc87e0d4df6fde4e2aeb52c3ac8ee46b3 /drivers | |
| parent | ef451d15bb636238167f5f3b07b42f0249bdc4db (diff) | |
| parent | d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5 (diff) | |
Merge "spcom: check buf size for send modified command"
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/soc/qcom/spcom.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c index aab53d72ede0..fcdcf0b6953e 100644 --- a/drivers/soc/qcom/spcom.c +++ b/drivers/soc/qcom/spcom.c @@ -1429,6 +1429,11 @@ static int modify_ion_addr(void *buf, return -ENODEV; } + if (buf_size < sizeof(uint64_t)) { + pr_err("buf size too small [%d].\n", buf_size); + return -ENODEV; + } + if (buf_offset > buf_size - sizeof(uint64_t)) { pr_err("invalid buf_offset [%d].\n", buf_offset); return -ENODEV; @@ -1491,6 +1496,16 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch, pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size); + /* + * check that cmd buf size is at least struct size, + * to allow access to struct fields. + */ + if (size < sizeof(*cmd)) { + pr_err("ch [%s] invalid cmd buf.\n", + ch->name); + return -EINVAL; + } + /* Check if remote side connect */ if (!spcom_is_channel_connected(ch)) { pr_err("ch [%s] remote side not connect.\n", ch->name); @@ -1503,6 +1518,18 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch, timeout_msec = cmd->timeout_msec; memcpy(ion_info, cmd->ion_info, sizeof(ion_info)); + /* Check param validity */ + if (buf_size > SPCOM_MAX_RESPONSE_SIZE) { + pr_err("ch [%s] invalid buf size [%d].\n", + ch->name, buf_size); + return -EINVAL; + } + if (size != sizeof(*cmd) + buf_size) { + pr_err("ch [%s] invalid cmd size [%d].\n", + ch->name, size); + return -EINVAL; + } + /* Allocate Buffers*/ tx_buf_size = sizeof(*hdr) + buf_size; tx_buf = kzalloc(tx_buf_size, GFP_KERNEL); @@ -1779,6 +1806,13 @@ static int spcom_handle_read_req_resp(struct spcom_channel *ch, return -ENOTCONN; } + /* Check param validity */ + if (size > SPCOM_MAX_RESPONSE_SIZE) { + pr_err("ch [%s] inavlid size [%d].\n", + ch->name, size); + return -EINVAL; + } + /* Allocate Buffers*/ rx_buf_size = sizeof(*hdr) + size; rx_buf = kzalloc(rx_buf_size, GFP_KERNEL); |