msm: ipa: Fix to validate the buffer size (e4c9b6f1) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/platform/msm/ipa/ipa_v2/ipa_intf.c

+17 −4

Original line number	Original line	Diff line number	Diff line
	/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.		/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
	*		*
	* This program is free software; you can redistribute it and/or modify		* This program is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License version 2 and		* it under the terms of the GNU General Public License version 2 and
	@@ -737,6 +737,12 @@ ssize_t ipa_read(struct file filp, char __user buf, size_t count,
	IPADBG("msg=%pK\n", msg);		IPADBG("msg=%pK\n", msg);
	locked = 0;		locked = 0;
	mutex_unlock(&ipa_ctx->msg_lock);		mutex_unlock(&ipa_ctx->msg_lock);
			if (count < sizeof(struct ipa_msg_meta)) {
			kfree(msg);
			msg = NULL;
			ret = -EFAULT;
			break;
			}
	if (copy_to_user(buf, &msg->meta,		if (copy_to_user(buf, &msg->meta,
	sizeof(struct ipa_msg_meta))) {		sizeof(struct ipa_msg_meta))) {
	kfree(msg);		kfree(msg);
	@@ -747,6 +753,7 @@ ssize_t ipa_read(struct file filp, char __user buf, size_t count,
	buf += sizeof(struct ipa_msg_meta);		buf += sizeof(struct ipa_msg_meta);
	count -= sizeof(struct ipa_msg_meta);		count -= sizeof(struct ipa_msg_meta);
	if (msg->buff) {		if (msg->buff) {
			if (count >= msg->meta.msg_len) {
	if (copy_to_user(buf, msg->buff,		if (copy_to_user(buf, msg->buff,
	msg->meta.msg_len)) {		msg->meta.msg_len)) {
	kfree(msg);		kfree(msg);
	@@ -754,6 +761,12 @@ ssize_t ipa_read(struct file filp, char __user buf, size_t count,
	ret = -EFAULT;		ret = -EFAULT;
	break;		break;
	}		}
			} else {
			kfree(msg);
			msg = NULL;
			ret = -EFAULT;
			break;
			}
	buf += msg->meta.msg_len;		buf += msg->meta.msg_len;
	count -= msg->meta.msg_len;		count -= msg->meta.msg_len;
	msg->callback(msg->buff, msg->meta.msg_len,		msg->callback(msg->buff, msg->meta.msg_len,