evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "spcom: check buf_size validity for user send command"

Browse source
This commit is contained in:
Linux Build Service Account 2016-12-13 12:17:54 -08:00 committed by Gerrit - the friendly Code Review server
commit ef451d15bb
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
drivers/soc/qcom/spcom.c
View file

@ -1333,6 +1333,16 @@ static int spcom_handle_send_command(struct spcom_channel *ch,
pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);
/*
* check that cmd buf size is at least struct size,
* to allow access to struct fields.
*/
if (size < sizeof(*cmd)) {
pr_err("ch [%s] invalid cmd buf.\n",
ch->name);
return -EINVAL;
}
/* Check if remote side connect */
if (!spcom_is_channel_connected(ch)) {
pr_err("ch [%s] remote side not connect.\n", ch->name);
@ -1344,6 +1354,18 @@ static int spcom_handle_send_command(struct spcom_channel *ch,
buf_size = cmd->buf_size;
timeout_msec = cmd->timeout_msec;
/* Check param validity */
if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {
pr_err("ch [%s] invalid buf size [%d].\n",
ch->name, buf_size);
return -EINVAL;
}
if (size != sizeof(*cmd) + buf_size) {
pr_err("ch [%s] invalid cmd size [%d].\n",
ch->name, size);
return -EINVAL;
}
/* Allocate Buffers*/
tx_buf_size = sizeof(*hdr) + buf_size;
tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);