From 642effc4f67956ae381db16e511eac000044ed2d Mon Sep 17 00:00:00 2001 From: Yan He Date: Wed, 2 Nov 2016 11:51:10 -0700 Subject: [PATCH] msm: sps: add the checking of userspace input length Add the checking of the input length from userspace so kernel space will not copy any content outside the input buffer. Change-Id: I3cef834ed1df836356ba40e6e950a534ec49819d Signed-off-by: Yan He --- drivers/platform/msm/sps/sps.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/platform/msm/sps/sps.c b/drivers/platform/msm/sps/sps.c index eab0e47e7cd2..2f11c6dd7e05 100644 --- a/drivers/platform/msm/sps/sps.c +++ b/drivers/platform/msm/sps/sps.c @@ -131,9 +131,10 @@ static ssize_t sps_set_info(struct file *file, const char __user *buf, int i; u32 buf_size_kb = 0; u32 new_buf_size; + u32 size = sizeof(str) < count ? sizeof(str) : count; memset(str, 0, sizeof(str)); - missing = copy_from_user(str, buf, sizeof(str)); + missing = copy_from_user(str, buf, size); if (missing) return -EFAULT; @@ -221,9 +222,10 @@ static ssize_t sps_set_logging_option(struct file *file, const char __user *buf, char str[MAX_MSG_LEN]; int i; u8 option = 0; + u32 size = sizeof(str) < count ? sizeof(str) : count; memset(str, 0, sizeof(str)); - missing = copy_from_user(str, buf, sizeof(str)); + missing = copy_from_user(str, buf, size); if (missing) return -EFAULT; @@ -270,9 +272,10 @@ static ssize_t sps_set_bam_addr(struct file *file, const char __user *buf, struct sps_bam *bam; u32 num_pipes = 0; void *vir_addr; + u32 size = sizeof(str) < count ? sizeof(str) : count; memset(str, 0, sizeof(str)); - missing = copy_from_user(str, buf, sizeof(str)); + missing = copy_from_user(str, buf, size); if (missing) return -EFAULT;