diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2019-06-21 16:30:48 -0700 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-06-21 16:30:48 -0700 |
| commit | 335e20ca9562240766fa3ec9709cb2d853d59a94 (patch) | |
| tree | d18160dcabcc95814284c1ee06e89cdd3b1ccd25 /drivers | |
| parent | abc2a59bfdb9652448374972a284a4763dd64ca8 (diff) | |
| parent | 7caeb5cb7c4f128a505396a588e303ab9ab9c15c (diff) | |
Merge "soc: qcom: glink_spi_xprt: Sanitize input for short cmd"
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/soc/qcom/glink_spi_xprt.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/drivers/soc/qcom/glink_spi_xprt.c b/drivers/soc/qcom/glink_spi_xprt.c index ade731cf3251..818051e6e9cb 100644 --- a/drivers/soc/qcom/glink_spi_xprt.c +++ b/drivers/soc/qcom/glink_spi_xprt.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -641,10 +641,13 @@ static int glink_spi_xprt_tx_cmd(struct edge_info *einfo, void *src, * is read. * @frag_size: Size of the data fragment to read. * @size_remaining: Size of data left to be read in this packet. + * @rx_size: Max size of data that can be read in this packet + * from source. */ static void process_rx_data(struct edge_info *einfo, uint16_t cmd_id, uint32_t rcid, uint32_t intent_id, void *src, - uint32_t frag_size, uint32_t size_remaining) + uint32_t frag_size, uint32_t size_remaining, + int rx_size) { struct glink_core_rx_intent *intent; int rc = 0; @@ -667,8 +670,14 @@ static void process_rx_data(struct edge_info *einfo, uint16_t cmd_id, return; } - if (cmd_id == TX_SHORT_DATA_CMD) + if (cmd_id == TX_SHORT_DATA_CMD) { + if (frag_size > rx_size) { + GLINK_ERR("%s: frag size:%d greater than rx size %d\n", + __func__, frag_size, rx_size); + return; + } memcpy(intent->data + intent->write_offset, src, frag_size); + } else rc = glink_spi_xprt_rx_data(einfo, src, intent->data + intent->write_offset, frag_size); @@ -838,7 +847,8 @@ static void process_rx_cmd(struct edge_info *einfo, process_rx_data(einfo, cmd->id, cmd->param1, cmd->param2, (void *)(uintptr_t)(rx_descp->addr), - rx_descp->size, rx_descp->size_left); + rx_descp->size, rx_descp->size_left, + rx_size); break; case TX_SHORT_DATA_CMD: @@ -849,7 +859,7 @@ static void process_rx_cmd(struct edge_info *einfo, offset += sizeof(*rx_sd_descp); process_rx_data(einfo, cmd->id, cmd->param1, cmd->param2, (void *)rx_sd_descp->data, - cmd->param3, cmd->param4); + cmd->param3, cmd->param4, rx_size); break; case READ_NOTIF_CMD: |