Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 57c02ee8 authored by Puja Gupta's avatar Puja Gupta Committed by Gerrit - the friendly Code Review server
Browse files

soc: qcom: Avoid possible buffer overflow in service-locator 



Fix possible buffer overflow by reading 'resp->total_domains' from the
qmi response message since 'resp->total_domains' indicate total number
of matching domains found by servreg.
'resp->domain_list_len' indicates the domains that could be sent in one
response which should not be greater than 'resp->total_domains'.

CRs-Fixed: 2009016
Change-Id: I614561c5f9bc996689129bc098baaffc9b59c377
Signed-off-by: default avatarPuja Gupta <pujag@codeaurora.org>
Signed-off-by: default avatarSatya Durga Srinivasu Prabhala <satyap@codeaurora.org>
parent 6862ebda

drivers/soc/qcom/service-locator.c

+9 −3
Original line number Diff line number Diff line
@@ -266,10 +266,12 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd) 
		if (!domains_read) {

			db_rev_count = pd->db_rev_count = resp->db_rev_count;

			pd->total_domains = resp->total_domains;

			if (!pd->total_domains && resp->domain_list_len) {

				pr_err("total domains not set\n");

				pd->total_domains = resp->domain_list_len;

			if (!resp->total_domains) {

				pr_err("No matching domains found\n");

				rc = -EIO;

				goto out;

			}



			pd->domain_list = kmalloc(

					sizeof(struct servreg_loc_entry_v01) *

					resp->total_domains, GFP_KERNEL);
@@ -286,6 +288,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd) 
			rc = -EAGAIN;

			goto out;

		}

		if (resp->domain_list_len >  resp->total_domains) {

			/* Always read total_domains from the response msg */

			resp->domain_list_len = resp->total_domains;

		}

		/* Copy the response*/

		store_get_domain_list_response(pd, resp, domains_read);

		domains_read += resp->domain_list_len;