Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 30bbe6f2 authored by Vamsi Krishna Gattupalli's avatar Vamsi Krishna Gattupalli
Browse files

msm: adsprpc: Fix double fetch from fastrpc HLOS driver 



Fix possible Buffer overflow due to double fetch from
fastrpc HLOS driver.

Change-Id: I03cf94e7f6fef9c8765404a6da3da47fe3bedf8b
Signed-off-by: default avatarVamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
parent 6e701a80

drivers/char/adsprpc_compat.c

+8 −7
Original line number Diff line number Diff line
@@ -156,9 +156,9 @@ struct compat_fastrpc_ioctl_dsp_capabilities { 
static int compat_get_fastrpc_ioctl_invoke(

			struct compat_fastrpc_ioctl_invoke_crc __user *inv32,

			struct fastrpc_ioctl_invoke_crc __user **inva,

			unsigned int cmd)

			unsigned int cmd, unsigned int sc)

{

	compat_uint_t u, sc;

	compat_uint_t u;

	compat_size_t s;

	compat_uptr_t p;

	struct fastrpc_ioctl_invoke_crc *inv;
@@ -166,10 +166,6 @@ static int compat_get_fastrpc_ioctl_invoke( 
	union remote_arg *pra;

	int err, len, j;



	err = get_user(sc, &inv32->inv.sc);

	if (err)

		return err;



	len = REMOTE_SCALARS_LENGTH(sc);

	VERIFY(err, NULL != (inv = compat_alloc_user_space(

				sizeof(*inv) + len * sizeof(*pra))));
@@ -513,6 +509,7 @@ long compat_fastrpc_device_ioctl(struct file *filp, unsigned int cmd, 
				unsigned long arg)

{

	int err = 0;

	compat_uint_t sc;



	if (!filp->f_op || !filp->f_op->unlocked_ioctl)

		return -ENOTTY;
@@ -526,9 +523,13 @@ long compat_fastrpc_device_ioctl(struct file *filp, unsigned int cmd, 
		struct compat_fastrpc_ioctl_invoke_crc __user *inv32;

		struct fastrpc_ioctl_invoke_crc __user *inv;



		err = get_user(sc, &inv32->inv.sc);

		if (err)

			return err;



		inv32 = compat_ptr(arg);

		VERIFY(err, 0 == compat_get_fastrpc_ioctl_invoke(inv32,

							&inv, cmd));

							&inv, cmd, sc));

		if (err)

			return err;

		return filp->f_op->unlocked_ioctl(filp,