Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dbcd8b59 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: ipa: prevent string buffer overflows in IPA driver"

parents 79258834 cd66589f

drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c

+2 −0
Original line number Diff line number Diff line
@@ -1374,6 +1374,7 @@ int ipa2_get_hdr(struct ipa_ioc_get_hdr *lookup) 
		return -EINVAL;

	}

	mutex_lock(&ipa_ctx->lock);

	lookup->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	entry = __ipa_find_hdr(lookup->name);

	if (entry) {

		lookup->hdl = entry->id;
@@ -1496,6 +1497,7 @@ int ipa2_copy_hdr(struct ipa_ioc_copy_hdr *copy) 
		return -EINVAL;

	}

	mutex_lock(&ipa_ctx->lock);

	copy->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	entry = __ipa_find_hdr(copy->name);

	if (entry) {

		memcpy(copy->hdr, entry->hdr, entry->hdr_len);

drivers/platform/msm/ipa/ipa_v2/ipa_intf.c

+3 −0
Original line number Diff line number Diff line
@@ -234,6 +234,7 @@ int ipa_query_intf(struct ipa_ioc_query_intf *lookup) 
	}



	mutex_lock(&ipa_ctx->lock);

	lookup->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {

		if (!strcmp(entry->name, lookup->name)) {

			lookup->num_tx_props = entry->num_tx_props;
@@ -269,6 +270,7 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx) 
	}



	mutex_lock(&ipa_ctx->lock);

	tx->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {

		if (!strcmp(entry->name, tx->name)) {

			/* add the entry check */
@@ -310,6 +312,7 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx) 
	}



	mutex_lock(&ipa_ctx->lock);

	rx->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {

		if (!strcmp(entry->name, rx->name)) {

			/* add the entry check */

drivers/platform/msm/ipa/ipa_v2/ipa_rt.c

+3 −0
Original line number Diff line number Diff line
@@ -863,6 +863,7 @@ int ipa2_query_rt_index(struct ipa_ioc_get_rt_tbl_indx *in) 


	mutex_lock(&ipa_ctx->lock);

	/* check if this table exists */

	in->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	entry = __ipa_find_rt_tbl(in->ip, in->name);

	if (!entry) {

		mutex_unlock(&ipa_ctx->lock);
@@ -1099,6 +1100,7 @@ int ipa2_add_rt_rule(struct ipa_ioc_add_rt_rule *rules) 


	mutex_lock(&ipa_ctx->lock);

	for (i = 0; i < rules->num_rules; i++) {

		rules->rt_tbl_name[IPA_RESOURCE_NAME_MAX-1] = '\0';

		if (__ipa_add_rt_rule(rules->ip, rules->rt_tbl_name,

					&rules->rules[i].rule,

					rules->rules[i].at_rear,
@@ -1368,6 +1370,7 @@ int ipa2_get_rt_tbl(struct ipa_ioc_get_rt_tbl *lookup) 
		return -EINVAL;

	}

	mutex_lock(&ipa_ctx->lock);

	lookup->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	entry = __ipa_find_rt_tbl(lookup->ip, lookup->name);

	if (entry && entry->cookie == IPA_RT_TBL_COOKIE) {

		if (entry->ref_cnt == U32_MAX) {

drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c

+2 −0
Original line number Diff line number Diff line
@@ -1133,6 +1133,7 @@ int ipa3_get_hdr(struct ipa_ioc_get_hdr *lookup) 
		return -EINVAL;

	}

	mutex_lock(&ipa3_ctx->lock);

	lookup->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	entry = __ipa_find_hdr(lookup->name);

	if (entry) {

		lookup->hdl = entry->id;
@@ -1255,6 +1256,7 @@ int ipa3_copy_hdr(struct ipa_ioc_copy_hdr *copy) 
		return -EINVAL;

	}

	mutex_lock(&ipa3_ctx->lock);

	copy->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	entry = __ipa_find_hdr(copy->name);

	if (entry) {

		memcpy(copy->hdr, entry->hdr, entry->hdr_len);

drivers/platform/msm/ipa/ipa_v3/ipa_intf.c

+3 −0
Original line number Diff line number Diff line
@@ -225,6 +225,7 @@ int ipa3_query_intf(struct ipa_ioc_query_intf *lookup) 
		return result;

	}



	lookup->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	if (strnlen(lookup->name, IPA_RESOURCE_NAME_MAX) ==

			IPA_RESOURCE_NAME_MAX) {

		IPAERR_RL("Interface name too long. (%s)\n", lookup->name);
@@ -267,6 +268,7 @@ int ipa3_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx) 
		return result;

	}



	tx->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	if (strnlen(tx->name, IPA_RESOURCE_NAME_MAX) == IPA_RESOURCE_NAME_MAX) {

		IPAERR_RL("Interface name too long. (%s)\n", tx->name);

		return result;
@@ -314,6 +316,7 @@ int ipa3_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx) 
		return result;

	}



	rx->name[IPA_RESOURCE_NAME_MAX-1] = '\0';

	if (strnlen(rx->name, IPA_RESOURCE_NAME_MAX) == IPA_RESOURCE_NAME_MAX) {

		IPAERR_RL("Interface name too long. (%s)\n", rx->name);

		return result;