diff options
author | Abir Ghosh <abirg@codeaurora.org> | 2017-05-12 09:16:34 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-05-29 23:57:06 -0700 |
commit | 25865f691b22d9b013cce032c06d3c0ed2485495 (patch) | |
tree | 75928f7bf613218feac21662e33d949b7775d135 /drivers | |
parent | ace73576d2eb567f552a699109b32d0917fccdbd (diff) |
qbt1000: Fix for incorrect buffer size check and integer overflow
Fix an incorrect buffer size check which might have caused integer
overflow.
CRs-Fixed: 2045285
Change-Id: I3b5b996c7405f51b488d6cbda31c81a9a9905f23
Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/soc/qcom/qbt1000.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c index 6e7d34ac9163..d14e82415c5a 100644 --- a/drivers/soc/qcom/qbt1000.c +++ b/drivers/soc/qcom/qbt1000.c @@ -145,18 +145,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl, uint32_t *rsp_len) { /* 64 bytes alignment for QSEECOM */ - *cmd_len = ALIGN(*cmd_len, 64); - *rsp_len = ALIGN(*rsp_len, 64); + uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64); + uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64); - if (((uint64_t)*rsp_len + (uint64_t)*cmd_len) - > (uint64_t)g_app_buf_size) { - pr_err("buffer too small to hold cmd=%d and rsp=%d\n", - *cmd_len, *rsp_len); + if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size) return -ENOMEM; - } *cmd = hdl->sbuf; + *cmd_len = aligned_cmd_len; *rsp = hdl->sbuf + *cmd_len; + *rsp_len = aligned_rsp_len; + return 0; } |