evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "msm: ipa: Fix to validate the buffer size"

Browse source
This commit is contained in:
Linux Build Service Account 2019-02-11 14:14:59 -08:00 committed by Gerrit - the friendly Code Review server
commit d6d1fb066f
1 changed files with 17 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -735,8 +735,14 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
IPADBG("msg=%pK\n", msg);
locked = 0;
mutex_unlock(&ipa_ctx->msg_lock);
if (count < sizeof(struct ipa_msg_meta)) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}
if (copy_to_user(buf, &msg->meta,
sizeof(struct ipa_msg_meta))) {
sizeof(struct ipa_msg_meta))) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
@ -745,8 +751,15 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
buf += sizeof(struct ipa_msg_meta);
count -= sizeof(struct ipa_msg_meta);
if (msg->buff) {
if (copy_to_user(buf, msg->buff,
msg->meta.msg_len)) {
if (count >= msg->meta.msg_len) {
if (copy_to_user(buf, msg->buff,
msg->meta.msg_len)) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}
} else {
kfree(msg);
msg = NULL;
ret = -EFAULT;