Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2c79fa65 authored by Piyush Dhyani's avatar Piyush Dhyani Committed by Gerrit - the friendly Code Review server
Browse files

msm: ipa: Fix buffer overflow issue 



Currently during IPA_IOC_GET_PHERIPHERAL_EP_INFO ioctl we are not
returning for the invalid values of max_ep_pairs and ep_pair_size,
which is resulting in call of functions with invalid parameters.
So now changing the control when we receive unexpected values.

Change-Id: Idc0a8986478ece5eaad2a31152c2a16cd758b612
Signed-off-by: default avatarPiyush Dhyani <pdhyani@codeaurora.org>
parent 77d80f4d

drivers/platform/msm/ipa/ipa_v3/ipa.c

+9 −3
Original line number Diff line number Diff line
@@ -2072,14 +2072,20 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			break;

		}



		if (ep_info.max_ep_pairs != QUERY_MAX_EP_PAIRS)

		if (ep_info.max_ep_pairs != QUERY_MAX_EP_PAIRS) {

			IPAERR_RL("unexpected max_ep_pairs %d\n",

			ep_info.max_ep_pairs);

			retval = -EFAULT;

			break;

		}



		if (ep_info.ep_pair_size !=

			(QUERY_MAX_EP_PAIRS * sizeof(struct ipa_ep_pair_info)))

		if (ep_info.ep_pair_size != (QUERY_MAX_EP_PAIRS *

			sizeof(struct ipa_ep_pair_info))) {

			IPAERR_RL("unexpected ep_pair_size %d\n",

			ep_info.max_ep_pairs);

			retval = -EFAULT;

			break;

		}



		uptr = ep_info.info;

		if (unlikely(!uptr)) {