evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: sensor: Fix to validate the settings size in flash

Browse source 
The size of the settings copied from userspace, is directly checked
in msm_cci_data_queue with CCI_I2C_MAX_WRITE. This might cause
out of bound access in function msm_cci_data_queue as the max size is
MAX_I2C_REG_SET. Hence adding check on the size in flash driver itself.

Change-Id: Ifac358be9f4b4ff60d14c20e02886c2d044e7f52
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
This commit is contained in:
Samyukta Mogily 2017-07-04 16:22:07 +05:30
parent 0c44f3c838
commit 47bfda4635
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
View file

@ -152,6 +152,12 @@ static int32_t msm_flash_i2c_write_table(
conf_array.reg_setting = settings->reg_setting_a;
conf_array.size = settings->size;
/* Validate the settings size */
if ((!conf_array.size) || (conf_array.size > MAX_I2C_REG_SET)) {
pr_err("failed: invalid size %d", conf_array.size);
return -EINVAL;
}
return flash_ctrl->flash_i2c_client.i2c_func_tbl->i2c_write_table(
&flash_ctrl->flash_i2c_client, &conf_array);
}