qbt1000: Fix for incorrect buffer size check and integer overflow

Fix an incorrect buffer size check which might have caused integer overflow. CRs-Fixed: 2045285 Change-Id: I3b5b996c7405f51b488d6cbda31c81a9a9905f23 Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
author: Abir Ghosh <abirg@codeaurora.org> 2017-05-12 09:16:34 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-05-29 23:57:06 -0700
commit: 25865f691b22d9b013cce032c06d3c0ed2485495 (patch)
tree: 75928f7bf613218feac21662e33d949b7775d135 /drivers
parent: ace73576d2eb567f552a699109b32d0917fccdbd (diff)
1 files changed, 6 insertions, 7 deletions
diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
index 6e7d34ac9163..d14e82415c5a 100644
--- a/drivers/soc/qcom/qbt1000.c
+++ b/drivers/soc/qcom/qbt1000.c
@@ -145,18 +145,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl,
 	uint32_t *rsp_len)
 {
 	/* 64 bytes alignment for QSEECOM */
-	*cmd_len = ALIGN(*cmd_len, 64);
-	*rsp_len = ALIGN(*rsp_len, 64);
+	uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64);
+	uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64);
 
-	if (((uint64_t)*rsp_len + (uint64_t)*cmd_len)
-			> (uint64_t)g_app_buf_size) {
-		pr_err("buffer too small to hold cmd=%d and rsp=%d\n",
-			*cmd_len, *rsp_len);
+	if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size)
 		return -ENOMEM;
-	}
 
 	*cmd = hdl->sbuf;
+	*cmd_len = aligned_cmd_len;
 	*rsp = hdl->sbuf + *cmd_len;
+	*rsp_len = aligned_rsp_len;
+
 	return 0;
 }
author	Abir Ghosh <abirg@codeaurora.org>	2017-05-12 09:16:34 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-05-29 23:57:06 -0700
commit	25865f691b22d9b013cce032c06d3c0ed2485495 (patch)
tree	75928f7bf613218feac21662e33d949b7775d135 /drivers
parent	ace73576d2eb567f552a699109b32d0917fccdbd (diff)