diff options
author | Samyukta Mogily <smogily@codeaurora.org> | 2017-07-04 16:22:07 +0530 |
---|---|---|
committer | Samyukta Mogily <smogily@codeaurora.org> | 2017-07-07 15:39:15 +0530 |
commit | 47bfda463561e672d9ea808df5bb63c9085e68f5 (patch) | |
tree | 4e062b9d7acb547c924a5d276159b9070c710085 /drivers | |
parent | 0c44f3c838e32d6c4928a3d175b5406b4b4af293 (diff) |
msm: sensor: Fix to validate the settings size in flash
The size of the settings copied from userspace, is directly checked
in msm_cci_data_queue with CCI_I2C_MAX_WRITE. This might cause
out of bound access in function msm_cci_data_queue as the max size is
MAX_I2C_REG_SET. Hence adding check on the size in flash driver itself.
Change-Id: Ifac358be9f4b4ff60d14c20e02886c2d044e7f52
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c index 491b8d31935a..cf7d1a8aa1f4 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c +++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c @@ -152,6 +152,12 @@ static int32_t msm_flash_i2c_write_table( conf_array.reg_setting = settings->reg_setting_a; conf_array.size = settings->size; + /* Validate the settings size */ + if ((!conf_array.size) || (conf_array.size > MAX_I2C_REG_SET)) { + pr_err("failed: invalid size %d", conf_array.size); + return -EINVAL; + } + return flash_ctrl->flash_i2c_client.i2c_func_tbl->i2c_write_table( &flash_ctrl->flash_i2c_client, &conf_array); } |