msm: sensor: Fix to validate the settings size in flash

The size of the settings copied from userspace, is directly checked in msm_cci_data_queue with CCI_I2C_MAX_WRITE. This might cause out of bound access in function msm_cci_data_queue as the max size is MAX_I2C_REG_SET. Hence adding check on the size in flash driver itself. Change-Id: Ifac358be9f4b4ff60d14c20e02886c2d044e7f52 Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
author: Samyukta Mogily <smogily@codeaurora.org> 2017-07-04 16:22:07 +0530
committer: Samyukta Mogily <smogily@codeaurora.org> 2017-07-07 15:39:15 +0530
commit: 47bfda463561e672d9ea808df5bb63c9085e68f5 (patch)
tree: 4e062b9d7acb547c924a5d276159b9070c710085 /drivers
parent: 0c44f3c838e32d6c4928a3d175b5406b4b4af293 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
index 491b8d31935a..cf7d1a8aa1f4 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
@@ -152,6 +152,12 @@ static int32_t msm_flash_i2c_write_table(
 	conf_array.reg_setting = settings->reg_setting_a;
 	conf_array.size = settings->size;
 
+	/* Validate the settings size */
+	if ((!conf_array.size) || (conf_array.size > MAX_I2C_REG_SET)) {
+		pr_err("failed: invalid size %d", conf_array.size);
+		return -EINVAL;
+	}
+
 	return flash_ctrl->flash_i2c_client.i2c_func_tbl->i2c_write_table(
 		&flash_ctrl->flash_i2c_client, &conf_array);
 }
author	Samyukta Mogily <smogily@codeaurora.org>	2017-07-04 16:22:07 +0530
committer	Samyukta Mogily <smogily@codeaurora.org>	2017-07-07 15:39:15 +0530
commit	47bfda463561e672d9ea808df5bb63c9085e68f5 (patch)
tree	4e062b9d7acb547c924a5d276159b9070c710085 /drivers
parent	0c44f3c838e32d6c4928a3d175b5406b4b4af293 (diff)