Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f95e8973 authored by Kyle Yan's avatar Kyle Yan Committed by Gerrit - the friendly Code Review server
Browse files

Merge "soc: qcom: Avoid possible buffer overflow in service-locator" into msm-4.9

parents 7849bb19 57c02ee8

drivers/soc/qcom/service-locator.c

+9 −3
Original line number Diff line number Diff line
@@ -266,10 +266,12 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd) 
		if (!domains_read) {

			db_rev_count = pd->db_rev_count = resp->db_rev_count;

			pd->total_domains = resp->total_domains;

			if (!pd->total_domains && resp->domain_list_len) {

				pr_err("total domains not set\n");

				pd->total_domains = resp->domain_list_len;

			if (!resp->total_domains) {

				pr_err("No matching domains found\n");

				rc = -EIO;

				goto out;

			}



			pd->domain_list = kmalloc(

					sizeof(struct servreg_loc_entry_v01) *

					resp->total_domains, GFP_KERNEL);
@@ -286,6 +288,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd) 
			rc = -EAGAIN;

			goto out;

		}

		if (resp->domain_list_len >  resp->total_domains) {

			/* Always read total_domains from the response msg */

			resp->domain_list_len = resp->total_domains;

		}

		/* Copy the response*/

		store_get_domain_list_response(pd, resp, domains_read);

		domains_read += resp->domain_list_len;