Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1d535d55 authored by Subash Abhinov Kasiviswanathan's avatar Subash Abhinov Kasiviswanathan
Browse files

soc: qcom: dfc: Fix qmi indication size 



Fix decoded size of an indication message to be the size after
decoding. Incorrect size could lead to invalid memory access.

CRs-fixed: 2446770
Change-Id: I5e982fbb879a28419081990a773920fb536763b3
Acked-by: default avatarWeiyi Chen <weiyic@qti.qualcomm.com>
Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
parent e8ec8a77

drivers/soc/qcom/dfc_qmi.c

+2 −4
Original line number Diff line number Diff line
@@ -81,9 +81,7 @@ static void dfc_svc_init(struct work_struct *work); 
#define QMI_DFC_INDICATION_REGISTER_RESP_V01_MAX_MSG_LEN 7



#define QMI_DFC_FLOW_STATUS_IND_V01 0x0022

#define QMI_DFC_FLOW_STATUS_IND_V01_MAX_MSG_LEN 540

#define QMI_DFC_TX_LINK_STATUS_IND_V01 0x0024

#define QMI_DFC_TX_LINK_STATUS_IND_V01_MAX_MSG_LEN 120



#define QMI_DFC_GET_FLOW_STATUS_REQ_V01 0x0023

#define QMI_DFC_GET_FLOW_STATUS_RESP_V01 0x0023
@@ -1420,14 +1418,14 @@ static struct qmi_msg_handler qmi_indication_handler[] = { 
		.type = QMI_INDICATION,

		.msg_id = QMI_DFC_FLOW_STATUS_IND_V01,

		.ei = dfc_flow_status_ind_v01_ei,

		.decoded_size = QMI_DFC_FLOW_STATUS_IND_V01_MAX_MSG_LEN,

		.decoded_size = sizeof(struct dfc_flow_status_ind_msg_v01),

		.fn = dfc_clnt_ind_cb,

	},

	{

		.type = QMI_INDICATION,

		.msg_id = QMI_DFC_TX_LINK_STATUS_IND_V01,

		.ei = dfc_tx_link_status_ind_v01_ei,

		.decoded_size = QMI_DFC_TX_LINK_STATUS_IND_V01_MAX_MSG_LEN,

		.decoded_size = sizeof(struct dfc_tx_link_status_ind_msg_v01),

		.fn = dfc_tx_link_status_ind_cb,

	},

	{},