evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "crypto: msm: check integer overflow on total data len in qcedev.c"

Browse source
This commit is contained in:
Linux Build Service Account 2017-01-23 12:54:11 -08:00 committed by Gerrit - the friendly Code Review server
commit 314869eb56
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/crypto/msm/qcedev.c
View file

@ -1445,6 +1445,15 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
pr_err("%s: Invalid byte offset\n", __func__); pr_err("%s: Invalid byte offset\n", __func__);
goto error; goto error;
} }
total = req->byteoffset;
for (i = 0; i < req->entries; i++) {
if (total > U32_MAX - req->vbuf.src[i].len) {
pr_err("%s:Integer overflow on total src len\n",
__func__);
goto error;
}
total += req->vbuf.src[i].len;
}
} }
if (req->data_len < req->byteoffset) { if (req->data_len < req->byteoffset) {
@ -1480,7 +1489,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
} }
} }
/* Check for sum of all dst length is equal to data_len */ /* Check for sum of all dst length is equal to data_len */
for (i = 0; i < req->entries; i++) { for (i = 0, total = 0; i < req->entries; i++) {
if (req->vbuf.dst[i].len >= U32_MAX - total) { if (req->vbuf.dst[i].len >= U32_MAX - total) {
pr_err("%s: Integer overflow on total req dst vbuf length\n", pr_err("%s: Integer overflow on total req dst vbuf length\n",
__func__); __func__);