Merge "msm: ipa: fix potential race condition ioctls"
This commit is contained in:
commit
8309f6afda
2 changed files with 411 additions and 72 deletions
|
@ -575,6 +575,7 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
struct ipa_ioc_v4_nat_del nat_del;
|
||||
struct ipa_ioc_rm_dependency rm_depend;
|
||||
size_t sz;
|
||||
int pre_entry;
|
||||
|
||||
IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
|
||||
|
||||
|
@ -623,11 +624,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pre_entry =
|
||||
((struct ipa_ioc_nat_dma_cmd *)header)->entries;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_nat_dma_cmd) +
|
||||
((struct ipa_ioc_nat_dma_cmd *)header)->entries *
|
||||
sizeof(struct ipa_ioc_nat_dma_one);
|
||||
pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -638,7 +639,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_nat_dma_cmd *)param)->entries,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -663,10 +672,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_hdr *)header)->num_hdrs;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_hdr) +
|
||||
((struct ipa_ioc_add_hdr *)header)->num_hdrs *
|
||||
sizeof(struct ipa_hdr_add);
|
||||
pre_entry * sizeof(struct ipa_hdr_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -676,6 +686,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_hdr *)param)->num_hdrs,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_add_hdr((struct ipa_ioc_add_hdr *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -692,10 +711,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_hdr *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_hdr) +
|
||||
((struct ipa_ioc_del_hdr *)header)->num_hdls *
|
||||
sizeof(struct ipa_hdr_del);
|
||||
pre_entry * sizeof(struct ipa_hdr_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -705,6 +725,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_hdr *)param)->num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -721,10 +750,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_rt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_rt_rule) +
|
||||
((struct ipa_ioc_add_rt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_rt_rule_add);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -734,6 +764,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_rt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -750,10 +790,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_mdfy_rt_rule) +
|
||||
((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_rt_rule_mdfy);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_mdfy);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -763,6 +804,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_mdfy_rt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -779,10 +830,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_rt_rule) +
|
||||
((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
|
||||
sizeof(struct ipa_rt_rule_del);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -792,6 +844,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -808,10 +869,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_flt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_flt_rule) +
|
||||
((struct ipa_ioc_add_flt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_flt_rule_add);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -821,6 +883,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_flt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -837,10 +909,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_flt_rule) +
|
||||
((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
|
||||
sizeof(struct ipa_flt_rule_del);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -850,6 +923,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_flt_rule *)param)->
|
||||
num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -866,10 +949,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_mdfy_flt_rule) +
|
||||
((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_flt_rule_mdfy);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_mdfy);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -879,6 +963,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_mdfy_flt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -992,9 +1086,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
|
||||
header)->num_tx_props *
|
||||
pre_entry =
|
||||
((struct ipa_ioc_query_intf_tx_props *)
|
||||
header)->num_tx_props;
|
||||
pyld_sz = sz + pre_entry *
|
||||
sizeof(struct ipa_ioc_tx_intf_prop);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
|
@ -1005,6 +1100,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
|
||||
param)->num_tx_props
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_query_intf_tx_props *)
|
||||
param)->num_tx_props, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa_query_intf_tx_props(
|
||||
(struct ipa_ioc_query_intf_tx_props *)param)) {
|
||||
retval = -1;
|
||||
|
@ -1027,9 +1132,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
|
||||
header)->num_rx_props *
|
||||
pre_entry =
|
||||
((struct ipa_ioc_query_intf_rx_props *)
|
||||
header)->num_rx_props;
|
||||
pyld_sz = sz + pre_entry *
|
||||
sizeof(struct ipa_ioc_rx_intf_prop);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
|
@ -1040,6 +1146,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
|
||||
param)->num_rx_props != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_query_intf_rx_props *)
|
||||
param)->num_rx_props, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa_query_intf_rx_props(
|
||||
(struct ipa_ioc_query_intf_rx_props *)param)) {
|
||||
retval = -1;
|
||||
|
@ -1062,9 +1177,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
|
||||
header)->num_ext_props *
|
||||
pre_entry =
|
||||
((struct ipa_ioc_query_intf_ext_props *)
|
||||
header)->num_ext_props;
|
||||
pyld_sz = sz + pre_entry *
|
||||
sizeof(struct ipa_ioc_ext_intf_prop);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
|
@ -1075,6 +1191,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
|
||||
param)->num_ext_props != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_query_intf_ext_props *)
|
||||
param)->num_ext_props, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa_query_intf_ext_props(
|
||||
(struct ipa_ioc_query_intf_ext_props *)param)) {
|
||||
retval = -1;
|
||||
|
@ -1091,8 +1216,10 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pyld_sz = sizeof(struct ipa_msg_meta) +
|
||||
pre_entry =
|
||||
((struct ipa_msg_meta *)header)->msg_len;
|
||||
pyld_sz = sizeof(struct ipa_msg_meta) +
|
||||
pre_entry;
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -1102,6 +1229,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_msg_meta *)param)->msg_len
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_msg_meta *)param)->msg_len,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa_pull_msg((struct ipa_msg_meta *)param,
|
||||
(char *)param + sizeof(struct ipa_msg_meta),
|
||||
((struct ipa_msg_meta *)param)->msg_len) !=
|
||||
|
@ -1218,10 +1354,12 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_hdr_proc_ctx *)
|
||||
header)->num_proc_ctxs;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
|
||||
((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
|
||||
sizeof(struct ipa_hdr_proc_ctx_add);
|
||||
pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -1231,6 +1369,15 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
|
||||
param)->num_proc_ctxs != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_hdr_proc_ctx *)
|
||||
param)->num_proc_ctxs, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_add_hdr_proc_ctx(
|
||||
(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
|
||||
retval = -EFAULT;
|
||||
|
@ -1247,10 +1394,11 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
|
||||
((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
|
||||
sizeof(struct ipa_hdr_proc_ctx_del);
|
||||
pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -1260,6 +1408,16 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
|
||||
param)->num_hdls != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_hdr_proc_ctx *)param)->
|
||||
num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa2_del_hdr_proc_ctx(
|
||||
(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
|
||||
retval = -EFAULT;
|
||||
|
|
|
@ -596,6 +596,7 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
struct ipa_ioc_v4_nat_del nat_del;
|
||||
struct ipa_ioc_rm_dependency rm_depend;
|
||||
size_t sz;
|
||||
int pre_entry;
|
||||
|
||||
IPADBG("cmd=%x nr=%d\n", cmd, _IOC_NR(cmd));
|
||||
|
||||
|
@ -649,11 +650,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pre_entry =
|
||||
((struct ipa_ioc_nat_dma_cmd *)header)->entries;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_nat_dma_cmd) +
|
||||
((struct ipa_ioc_nat_dma_cmd *)header)->entries *
|
||||
sizeof(struct ipa_ioc_nat_dma_one);
|
||||
pre_entry * sizeof(struct ipa_ioc_nat_dma_one);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -664,7 +665,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_nat_dma_cmd *)param)->entries
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_nat_dma_cmd *)param)->entries,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_nat_dma_cmd((struct ipa_ioc_nat_dma_cmd *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -689,10 +698,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_hdr *)header)->num_hdrs;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_hdr) +
|
||||
((struct ipa_ioc_add_hdr *)header)->num_hdrs *
|
||||
sizeof(struct ipa_hdr_add);
|
||||
pre_entry * sizeof(struct ipa_hdr_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -702,6 +712,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_hdr *)param)->num_hdrs
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_hdr *)param)->num_hdrs,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_add_hdr((struct ipa_ioc_add_hdr *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -718,10 +737,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_hdr *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_hdr) +
|
||||
((struct ipa_ioc_del_hdr *)header)->num_hdls *
|
||||
sizeof(struct ipa_hdr_del);
|
||||
pre_entry * sizeof(struct ipa_hdr_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -731,6 +751,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_hdr *)param)->num_hdls
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_hdr *)param)->num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_del_hdr((struct ipa_ioc_del_hdr *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -747,10 +776,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_rt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_rt_rule) +
|
||||
((struct ipa_ioc_add_rt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_rt_rule_add);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -760,6 +790,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_rt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_rt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_add_rt_rule((struct ipa_ioc_add_rt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -776,10 +816,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_rt_rule_after *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_rt_rule_after) +
|
||||
((struct ipa_ioc_add_rt_rule_after *)header)->num_rules *
|
||||
sizeof(struct ipa_rt_rule_add);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -789,6 +830,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_rt_rule_after *)param)->
|
||||
num_rules != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_rt_rule_after *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_add_rt_rule_after(
|
||||
(struct ipa_ioc_add_rt_rule_after *)param)) {
|
||||
|
||||
|
@ -807,10 +858,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_mdfy_rt_rule) +
|
||||
((struct ipa_ioc_mdfy_rt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_rt_rule_mdfy);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_mdfy);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -820,6 +872,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_mdfy_rt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_mdfy_rt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_mdfy_rt_rule((struct ipa_ioc_mdfy_rt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -836,10 +898,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_rt_rule *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_rt_rule) +
|
||||
((struct ipa_ioc_del_rt_rule *)header)->num_hdls *
|
||||
sizeof(struct ipa_rt_rule_del);
|
||||
pre_entry * sizeof(struct ipa_rt_rule_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -849,6 +912,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_rt_rule *)param)->num_hdls
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_rt_rule *)param)->num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_del_rt_rule((struct ipa_ioc_del_rt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -865,10 +937,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_flt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_flt_rule) +
|
||||
((struct ipa_ioc_add_flt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_flt_rule_add);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -878,6 +951,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_flt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_flt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_add_flt_rule((struct ipa_ioc_add_flt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -895,10 +978,12 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_flt_rule_after *)header)->
|
||||
num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_flt_rule_after) +
|
||||
((struct ipa_ioc_add_flt_rule_after *)header)->num_rules *
|
||||
sizeof(struct ipa_flt_rule_add);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -908,6 +993,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_flt_rule_after *)param)->
|
||||
num_rules != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_flt_rule_after *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_add_flt_rule_after(
|
||||
(struct ipa_ioc_add_flt_rule_after *)param)) {
|
||||
retval = -EFAULT;
|
||||
|
@ -925,10 +1020,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_flt_rule *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_flt_rule) +
|
||||
((struct ipa_ioc_del_flt_rule *)header)->num_hdls *
|
||||
sizeof(struct ipa_flt_rule_del);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -938,6 +1034,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_flt_rule *)param)->num_hdls
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_flt_rule *)param)->
|
||||
num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_del_flt_rule((struct ipa_ioc_del_flt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -954,10 +1060,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_mdfy_flt_rule) +
|
||||
((struct ipa_ioc_mdfy_flt_rule *)header)->num_rules *
|
||||
sizeof(struct ipa_flt_rule_mdfy);
|
||||
pre_entry * sizeof(struct ipa_flt_rule_mdfy);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -967,6 +1074,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_mdfy_flt_rule *)param)->num_rules
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_mdfy_flt_rule *)param)->
|
||||
num_rules,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_mdfy_flt_rule((struct ipa_ioc_mdfy_flt_rule *)param)) {
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
|
@ -1080,9 +1197,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)
|
||||
header)->num_tx_props *
|
||||
pre_entry =
|
||||
((struct ipa_ioc_query_intf_tx_props *)
|
||||
header)->num_tx_props;
|
||||
pyld_sz = sz + pre_entry *
|
||||
sizeof(struct ipa_ioc_tx_intf_prop);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
|
@ -1093,6 +1211,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_query_intf_tx_props *)
|
||||
param)->num_tx_props
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_query_intf_tx_props *)
|
||||
param)->num_tx_props, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_query_intf_tx_props(
|
||||
(struct ipa_ioc_query_intf_tx_props *)param)) {
|
||||
retval = -1;
|
||||
|
@ -1115,9 +1243,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)
|
||||
header)->num_rx_props *
|
||||
pre_entry =
|
||||
((struct ipa_ioc_query_intf_rx_props *)
|
||||
header)->num_rx_props;
|
||||
pyld_sz = sz + pre_entry *
|
||||
sizeof(struct ipa_ioc_rx_intf_prop);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
|
@ -1128,6 +1257,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_query_intf_rx_props *)
|
||||
param)->num_rx_props != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_query_intf_rx_props *)
|
||||
param)->num_rx_props, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_query_intf_rx_props(
|
||||
(struct ipa_ioc_query_intf_rx_props *)param)) {
|
||||
retval = -1;
|
||||
|
@ -1150,9 +1288,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)
|
||||
header)->num_ext_props *
|
||||
pre_entry =
|
||||
((struct ipa_ioc_query_intf_ext_props *)
|
||||
header)->num_ext_props;
|
||||
pyld_sz = sz + pre_entry *
|
||||
sizeof(struct ipa_ioc_ext_intf_prop);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
|
@ -1163,6 +1302,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_query_intf_ext_props *)
|
||||
param)->num_ext_props != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_query_intf_ext_props *)
|
||||
param)->num_ext_props, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_query_intf_ext_props(
|
||||
(struct ipa_ioc_query_intf_ext_props *)param)) {
|
||||
retval = -1;
|
||||
|
@ -1179,8 +1327,10 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pyld_sz = sizeof(struct ipa_msg_meta) +
|
||||
pre_entry =
|
||||
((struct ipa_msg_meta *)header)->msg_len;
|
||||
pyld_sz = sizeof(struct ipa_msg_meta) +
|
||||
pre_entry;
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -1190,6 +1340,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_msg_meta *)param)->msg_len
|
||||
!= pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_msg_meta *)param)->msg_len,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_pull_msg((struct ipa_msg_meta *)param,
|
||||
(char *)param + sizeof(struct ipa_msg_meta),
|
||||
((struct ipa_msg_meta *)param)->msg_len) !=
|
||||
|
@ -1306,10 +1465,12 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_add_hdr_proc_ctx *)
|
||||
header)->num_proc_ctxs;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_add_hdr_proc_ctx) +
|
||||
((struct ipa_ioc_add_hdr_proc_ctx *)header)->num_proc_ctxs *
|
||||
sizeof(struct ipa_hdr_proc_ctx_add);
|
||||
pre_entry * sizeof(struct ipa_hdr_proc_ctx_add);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -1319,6 +1480,15 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_add_hdr_proc_ctx *)
|
||||
param)->num_proc_ctxs != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_add_hdr_proc_ctx *)
|
||||
param)->num_proc_ctxs, pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_add_hdr_proc_ctx(
|
||||
(struct ipa_ioc_add_hdr_proc_ctx *)param)) {
|
||||
retval = -EFAULT;
|
||||
|
@ -1335,10 +1505,11 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
pre_entry =
|
||||
((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls;
|
||||
pyld_sz =
|
||||
sizeof(struct ipa_ioc_del_hdr_proc_ctx) +
|
||||
((struct ipa_ioc_del_hdr_proc_ctx *)header)->num_hdls *
|
||||
sizeof(struct ipa_hdr_proc_ctx_del);
|
||||
pre_entry * sizeof(struct ipa_hdr_proc_ctx_del);
|
||||
param = kzalloc(pyld_sz, GFP_KERNEL);
|
||||
if (!param) {
|
||||
retval = -ENOMEM;
|
||||
|
@ -1348,6 +1519,16 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
/* add check in case user-space module compromised */
|
||||
if (unlikely(((struct ipa_ioc_del_hdr_proc_ctx *)
|
||||
param)->num_hdls != pre_entry)) {
|
||||
IPAERR("current %d pre %d\n",
|
||||
((struct ipa_ioc_del_hdr_proc_ctx *)param)->
|
||||
num_hdls,
|
||||
pre_entry);
|
||||
retval = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (ipa3_del_hdr_proc_ctx(
|
||||
(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
|
||||
retval = -EFAULT;
|
||||
|
|
Loading…
Add table
Reference in a new issue