evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ANDROID: usb: gadget: f_mtp: Return error if count is negative

Browse source 
If the user passes in a negative file size in a int64,
this will compare to be smaller than buffer length,
and it will get truncated to form a read length that
is larger than the buffer length.

To fix, return -EINVAL if the count argument is negative,
so the loop will never happen.

Bug: 37429972
Test: Test with PoC
Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
This commit is contained in:
Jerry Zhang 2017-09-27 11:49:44 -07:00 committed by Greg Hackmann
parent 7a95540418
commit 34e65b671b
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
drivers/usb/gadget/function/f_mtp.c
View file

@ -729,6 +729,11 @@ static void send_file_work(struct work_struct *data)
offset = dev->xfer_file_offset;
count = dev->xfer_file_length;
if (count < 0) {
dev->xfer_result = -EINVAL;
return;
}
DBG(cdev, "send_file_work(%lld %lld)\n", offset, count);
if (dev->xfer_send_header) {
@ -835,6 +840,11 @@ static void receive_file_work(struct work_struct *data)
offset = dev->xfer_file_offset;
count = dev->xfer_file_length;
if (count < 0) {
dev->xfer_result = -EINVAL;
return;
}
DBG(cdev, "receive_file_work(%lld)\n", count);
while (count > 0 || write_req) {