msm: ipa: fix the potential heap overflow on wan-driver (345c814e) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c

+18 −1

Original line number	Diff line number	Diff line
		@@ -2637,7 +2637,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
		*
		* Return codes:
		* 0: Success
		* -EFAULT: Invalid interface name provided
		* -EFAULT: Invalid src/dst pipes provided
		* other: See ipa_qmi_set_data_quota
		*/
		int rmnet_ipa_set_tether_client_pipe(
		@@ -2645,6 +2645,23 @@ int rmnet_ipa_set_tether_client_pipe(
		{
		int number, i;

		/* error checking if ul_src_pipe_len valid or not*/
		if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 \|\|
		data->ul_src_pipe_len < 0) {
		IPAWANERR("UL src pipes %d exceeding max %d\n",
		data->ul_src_pipe_len,
		QMI_IPA_MAX_PIPES_V01);
		return -EFAULT;
		}
		/* error checking if dl_dst_pipe_len valid or not*/
		if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 \|\|
		data->dl_dst_pipe_len < 0) {
		IPAWANERR("DL dst pipes %d exceeding max %d\n",
		data->dl_dst_pipe_len,
		QMI_IPA_MAX_PIPES_V01);
		return -EFAULT;
		}

		IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
		data->ipa_client,
		data->ul_src_pipe_len,

+17 −0

Original line number	Diff line number	Diff line
		@@ -2681,6 +2681,23 @@ int rmnet_ipa3_set_tether_client_pipe(
		{
		int number, i;

		/* error checking if ul_src_pipe_len valid or not*/
		if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 \|\|
		data->ul_src_pipe_len < 0) {
		IPAWANERR("UL src pipes %d exceeding max %d\n",
		data->ul_src_pipe_len,
		QMI_IPA_MAX_PIPES_V01);
		return -EFAULT;
		}
		/* error checking if dl_dst_pipe_len valid or not*/
		if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 \|\|
		data->dl_dst_pipe_len < 0) {
		IPAWANERR("DL dst pipes %d exceeding max %d\n",
		data->dl_dst_pipe_len,
		QMI_IPA_MAX_PIPES_V01);
		return -EFAULT;
		}

		IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
		data->ipa_client,
		data->ul_src_pipe_len,