evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: sensor: Add boundary check for cci master

Browse source 
Add boundary check for cci master in i2c_read.
This value is passed from userpsace. If user sends an
invalid number for master there is a possibility of
accessing unintended buffer.

This change addresses the issue.

Crs-Fixed: 1086764
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Ice3bde902aea96382ceb4dfddfd28a5ea89c183d
This commit is contained in:
Rajesh Bondugula 2016-11-15 12:26:47 -08:00 committed by Gerrit - the friendly Code Review server
parent 9febdfdde0
commit a5f0789405
1 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
View file

@ -776,10 +776,18 @@ static int32_t msm_cci_i2c_read(struct v4l2_subdev *sd,
enum cci_i2c_queue_t queue = QUEUE_1;
struct cci_device *cci_dev = NULL;
struct msm_camera_cci_i2c_read_cfg *read_cfg = NULL;
CDBG("%s line %d\n", __func__, __LINE__);
cci_dev = v4l2_get_subdevdata(sd);
master = c_ctrl->cci_info->cci_i2c_master;
read_cfg = &c_ctrl->cfg.cci_i2c_read_cfg;
if (master >= MASTER_MAX || master < 0) {
pr_err("%s:%d Invalid I2C master %d\n",
__func__, __LINE__, master);
return -EINVAL;
}
mutex_lock(&cci_dev->cci_master_info[master].mutex_q[queue]);
/* Set the I2C Frequency */
@ -1004,11 +1012,6 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
enum cci_i2c_master_t master;
cci_dev = v4l2_get_subdevdata(sd);
if (c_ctrl->cci_info->cci_i2c_master >= MASTER_MAX
|| c_ctrl->cci_info->cci_i2c_master < 0) {
pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
return -EINVAL;
}
if (cci_dev->cci_state != CCI_STATE_ENABLED) {
pr_err("%s invalid cci state %d\n",
__func__, cci_dev->cci_state);
@ -1539,6 +1542,11 @@ static int32_t msm_cci_write(struct v4l2_subdev *sd,
return rc;
}
if (c_ctrl->cci_info->cci_i2c_master >= MASTER_MAX
|| c_ctrl->cci_info->cci_i2c_master < 0) {
pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
return -EINVAL;
}
master = c_ctrl->cci_info->cci_i2c_master;
cci_master_info = &cci_dev->cci_master_info[master];