evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "soc: qcom: Avoid possible buffer overflow in service-locator"

Browse source
This commit is contained in:
Linux Build Service Account 2017-03-14 23:45:46 -07:00 committed by Gerrit - the friendly Code Review server
commit 3961be10c4
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/soc/qcom/service-locator.c
View file

@ -266,10 +266,9 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
if (!domains_read) { if (!domains_read) {
db_rev_count = pd->db_rev_count = resp->db_rev_count; db_rev_count = pd->db_rev_count = resp->db_rev_count;
pd->total_domains = resp->total_domains; pd->total_domains = resp->total_domains;
if (!pd->total_domains && resp->domain_list_len) { if (!resp->total_domains)
pr_err("total domains not set\n"); pr_info("No matching domains found\n");
pd->total_domains = resp->domain_list_len;
}
pd->domain_list = kmalloc( pd->domain_list = kmalloc(
sizeof(struct servreg_loc_entry_v01) * sizeof(struct servreg_loc_entry_v01) *
resp->total_domains, GFP_KERNEL); resp->total_domains, GFP_KERNEL);
@ -286,6 +285,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
rc = -EAGAIN; rc = -EAGAIN;
goto out; goto out;
} }
if (resp->domain_list_len > resp->total_domains) {
/* Always read total_domains from the response msg */
resp->domain_list_len = resp->total_domains;
}
/* Copy the response*/ /* Copy the response*/
store_get_domain_list_response(pd, resp, domains_read); store_get_domain_list_response(pd, resp, domains_read);
domains_read += resp->domain_list_len; domains_read += resp->domain_list_len;