From ae82de33ed6776508358f86a744d6e082b6144f1 Mon Sep 17 00:00:00 2001 From: Chaitanya Pratapa Date: Tue, 26 Feb 2019 15:06:31 +0530 Subject: msm: ipa: fix to validate the ioctl WAN_IOC_SEND_LAN_CLIENT_MSG params When processing WAN_IOC_SEND_LAN_CLIENT_MSG ioctl there is a possibility of message_type being invalid and this can lead to out of buffer error. Make a change to validate the ioctl params before processing. Change-Id: If7955f77863b772ae1c8feda5ca0145c822403b9 Signed-off-by: Chaitanya Pratapa --- drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'drivers') diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c index db638930e2a1..656b95316895 100644 --- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c @@ -3601,6 +3601,15 @@ int rmnet_ipa3_send_lan_client_msg( IPAWANERR("Can't allocate memory for tether_info\n"); return -ENOMEM; } + + if (data->client_event != IPA_PER_CLIENT_STATS_CONNECT_EVENT && + data->client_event != IPA_PER_CLIENT_STATS_DISCONNECT_EVENT) { + IPAWANERR("Wrong event given. Event:- %d\n", + data->client_event); + kfree(lan_client); + return -EINVAL; + } + data->lan_client.lanIface[IPA_RESOURCE_NAME_MAX-1] = '\0'; memset(&msg_meta, 0, sizeof(struct ipa_msg_meta)); memcpy(lan_client, &data->lan_client, sizeof(struct ipa_lan_client_msg)); -- cgit v1.2.3