soc: qcom: glink_spi_xprt: Sanitize input for short cmd · 7caeb5cb7c - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

soc: qcom: glink_spi_xprt: Sanitize input for short cmd

Check for data fragment size against the maximum size that can be read
from the source.

Change-Id: I779a9055599cebbeb8f0f9ffb8d62be7e5c53deb
Signed-off-by: Jay Jayanna <jayanna@codeaurora.org>

This commit is contained in:

Jay Jayanna

2019-06-11 14:51:02 -07:00

• committed by

Chris Lew

parent 06ceb6bb61

commit 7caeb5cb7c

1 changed files with 15 additions and 5 deletions

									
										20

drivers/soc/qcom/glink_spi_xprt.c
									
										View file
										
				@ -1,4 +1,4 @@

				/* Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.

				/* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved.

				 *

				 * This program is free software; you can redistribute it and/or modify

				 * it under the terms of the GNU General Public License version 2 and

				@ -641,10 +641,13 @@ static int glink_spi_xprt_tx_cmd(struct edge_info *einfo, void *src,

				 *			is read.

				 * @frag_size:		Size of the data fragment to read.

				 * @size_remaining:	Size of data left to be read in this packet.

				 * @rx_size:	        Max size of data that can be read in this packet

				 *			from source.

				 */

				static void process_rx_data(struct edge_info *einfo, uint16_t cmd_id,

							    uint32_t rcid, uint32_t intent_id, void *src,

							    uint32_t frag_size, uint32_t size_remaining)

							    uint32_t frag_size, uint32_t size_remaining,

							    int rx_size)

				{

					struct glink_core_rx_intent *intent;

					int rc = 0;

				@ -667,8 +670,14 @@ static void process_rx_data(struct edge_info *einfo, uint16_t cmd_id,

						return;

					}

					if (cmd_id == TX_SHORT_DATA_CMD)

					if (cmd_id == TX_SHORT_DATA_CMD) {

						if (frag_size > rx_size) {

							GLINK_ERR("%s: frag size:%d greater than rx size %d\n",

								  __func__, frag_size, rx_size);

							return;

						}

						memcpy(intent->data + intent->write_offset, src, frag_size);

					}

					else

						rc = glink_spi_xprt_rx_data(einfo, src,

								intent->data + intent->write_offset, frag_size);

				@ -838,7 +847,8 @@ static void process_rx_cmd(struct edge_info *einfo,

							process_rx_data(einfo, cmd->id, cmd->param1,

									cmd->param2,

									(void *)(uintptr_t)(rx_descp->addr),

									rx_descp->size, rx_descp->size_left);

									rx_descp->size, rx_descp->size_left,

									rx_size);

							break;

						case TX_SHORT_DATA_CMD:

				@ -849,7 +859,7 @@ static void process_rx_cmd(struct edge_info *einfo,

							offset += sizeof(*rx_sd_descp);

							process_rx_data(einfo, cmd->id, cmd->param1,

									cmd->param2, (void *)rx_sd_descp->data,

									cmd->param3, cmd->param4);

									cmd->param3, cmd->param4, rx_size);

							break;

						case READ_NOTIF_CMD: