soc: qcom: qmi_encdec: Restrict string length in decode · 4fedfe5c4d - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

soc: qcom: qmi_encdec: Restrict string length in decode

The QMI TLV value for strings in a lot of qmi element info structures
account for null terminated strings with MAX_LEN + 1. If a string is
actually MAX_LEN + 1 length, this will cause an out of bounds access
when the NULL character is appended in decoding.

CR-Fixed: 2359244
Change-Id: I4d789bc6017ff58458f77fe875ca4e175a4f1357
Signed-off-by: Chris Lew <clew@codeaurora.org>
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>

This commit is contained in:

Deepak Kumar Singh

2019-03-05 17:16:54 +05:30

• committed by

Gerrit - the friendly Code Review server

parent a1b80321ae

commit 4fedfe5c4d

1 changed files with 3 additions and 3 deletions

									
										6

lib/qmi_encdec.c
									
										View file
										
				@ -1,4 +1,4 @@

				/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.

				/* Copyright (c) 2012-2015, 2019 The Linux Foundation. All rights reserved.

				 *

				 * This program is free software; you can redistribute it and/or modify

				 * it under the terms of the GNU General Public License version 2 and

				@ -710,8 +710,8 @@ static int qmi_decode_string_elem(struct elem_info *ei_array, void *buf_dst,

						decoded_bytes += rc;

					}

					if (string_len > temp_ei->elem_len) {

						pr_err("%s: String len %d > Max Len %d\n",

					if (string_len >= temp_ei->elem_len) {

						pr_err("%s: String len %d >= Max Len %d\n",

							__func__, string_len, temp_ei->elem_len);

						return -ETOOSMALL;

					} else if (string_len > tlv_len) {