msm: pcie: add the checking of userspace input length
Add the checking of the input length from userspace so kernel space will not copy any content outside the input buffer. Change-Id: I114ac005f5305d863bfc0d0fc2db7b5e6d683834 Signed-off-by: Tony Truong <truong@codeaurora.org>
This commit is contained in:
Tony Truong
Gerrit - the friendly Code Review server
parent
96b6f68843
commit
f89c7a13b0
1 changed files with 28 additions and 21 deletions
|
|
@ -2526,13 +2526,14 @@ static ssize_t msm_pcie_cmd_debug(struct file *file,
|
|||
char str[MAX_MSG_LEN];
|
||||
unsigned int testcase = 0;
|
||||
int i;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
testcase = (testcase * 10) + (str[i] - '0');
|
||||
|
||||
if (!rc_sel)
|
||||
|
|
@ -2561,13 +2562,14 @@ static ssize_t msm_pcie_set_rc_sel(struct file *file,
|
|||
char str[MAX_MSG_LEN];
|
||||
int i;
|
||||
u32 new_rc_sel = 0;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
new_rc_sel = (new_rc_sel * 10) + (str[i] - '0');
|
||||
|
||||
if ((!new_rc_sel) || (new_rc_sel > rc_sel_max)) {
|
||||
|
|
@ -2604,13 +2606,14 @@ static ssize_t msm_pcie_set_base_sel(struct file *file,
|
|||
int i;
|
||||
u32 new_base_sel = 0;
|
||||
char *base_sel_name;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
new_base_sel = (new_base_sel * 10) + (str[i] - '0');
|
||||
|
||||
if (!new_base_sel || new_base_sel > 5) {
|
||||
|
|
@ -2705,14 +2708,15 @@ static ssize_t msm_pcie_set_wr_offset(struct file *file,
|
|||
unsigned long ret;
|
||||
char str[MAX_MSG_LEN];
|
||||
int i;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
wr_offset = 0;
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
wr_offset = (wr_offset * 10) + (str[i] - '0');
|
||||
|
||||
pr_alert("PCIe: wr_offset is now 0x%x\n", wr_offset);
|
||||
|
|
@ -2731,14 +2735,15 @@ static ssize_t msm_pcie_set_wr_mask(struct file *file,
|
|||
unsigned long ret;
|
||||
char str[MAX_MSG_LEN];
|
||||
int i;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
wr_mask = 0;
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
wr_mask = (wr_mask * 10) + (str[i] - '0');
|
||||
|
||||
pr_alert("PCIe: wr_mask is now 0x%x\n", wr_mask);
|
||||
|
|
@ -2756,14 +2761,15 @@ static ssize_t msm_pcie_set_wr_value(struct file *file,
|
|||
unsigned long ret;
|
||||
char str[MAX_MSG_LEN];
|
||||
int i;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
wr_value = 0;
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
wr_value = (wr_value * 10) + (str[i] - '0');
|
||||
|
||||
pr_alert("PCIe: wr_value is now 0x%x\n", wr_value);
|
||||
|
|
@ -2882,14 +2888,15 @@ static ssize_t msm_pcie_set_corr_counter_limit(struct file *file,
|
|||
unsigned long ret;
|
||||
char str[MAX_MSG_LEN];
|
||||
int i;
|
||||
u32 size = sizeof(str) < count ? sizeof(str) : count;
|
||||
|
||||
memset(str, 0, sizeof(str));
|
||||
ret = copy_from_user(str, buf, sizeof(str));
|
||||
memset(str, 0, size);
|
||||
ret = copy_from_user(str, buf, size);
|
||||
if (ret)
|
||||
return -EFAULT;
|
||||
|
||||
corr_counter_limit = 0;
|
||||
for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
|
||||
corr_counter_limit = (corr_counter_limit * 10) + (str[i] - '0');
|
||||
|
||||
pr_info("PCIe: corr_counter_limit is now %lu\n", corr_counter_limit);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue