ANDROID: usb: gadget: f_mtp: Return error if count is negative (e8abd40f) · Commits · e / devices / android_kernel_fairphone_FP3

If the user passes in a negative file size in a int64, this will compare to be smaller than buffer length, and it will get truncated to form a read length that is larger than the buffer length. To fix, return -EINVAL if the count argument is negative, so the loop will never happen. Bug: 37429972 Test: Test with PoC Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4 Signed-off-by:

Jerry Zhang <zhangjerry@google.com>

drivers/usb/gadget/function/f_mtp.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -729,6 +729,11 @@ static void send_file_work(struct work_struct *data)
		offset = dev->xfer_file_offset;
		count = dev->xfer_file_length;

		if (count < 0) {
		dev->xfer_result = -EINVAL;
		return;
		}

		DBG(cdev, "send_file_work(%lld %lld)\n", offset, count);

		if (dev->xfer_send_header) {
		@@ -835,6 +840,11 @@ static void receive_file_work(struct work_struct *data)
		offset = dev->xfer_file_offset;
		count = dev->xfer_file_length;

		if (count < 0) {
		dev->xfer_result = -EINVAL;
		return;
		}

		DBG(cdev, "receive_file_work(%lld)\n", count);

		while (count > 0 \|\| write_req) {