msm: ipa3: Fix to avoid memory out of bound access error (7c7545a7) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c

+18 −21

Original line number	Diff line number	Diff line
		@@ -1645,63 +1645,61 @@ static struct qmi_msg_handler server_handlers[] = {
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_INDICATION_REGISTER_REQ_V01,
		.ei = ipa3_indication_reg_req_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_INDICATION_REGISTER_REQ_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(struct ipa_indication_reg_req_msg_v01),
		.fn = ipa3_handle_indication_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_INSTALL_FILTER_RULE_REQ_V01,
		.ei = ipa3_install_fltr_rule_req_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_INSTALL_FILTER_RULE_REQ_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(
		struct ipa_install_fltr_rule_req_msg_v01),
		.fn = ipa3_handle_install_filter_rule_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_FILTER_INSTALLED_NOTIF_REQ_V01,
		.ei = ipa3_fltr_installed_notif_req_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_FILTER_INSTALLED_NOTIF_REQ_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(
		struct ipa_fltr_installed_notif_req_msg_v01),
		.fn = ipa3_handle_filter_installed_notify_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_CONFIG_REQ_V01,
		.ei = ipa3_config_req_msg_data_v01_ei,
		.decoded_size = QMI_IPA_CONFIG_REQ_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(struct ipa_config_req_msg_v01),
		.fn = handle_ipa_config_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_INIT_MODEM_DRIVER_CMPLT_REQ_V01,
		.ei = ipa3_init_modem_driver_cmplt_req_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_INIT_MODEM_DRIVER_CMPLT_REQ_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(
		struct ipa_init_modem_driver_cmplt_req_msg_v01),
		.fn = ipa3_handle_modem_init_cmplt_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_INIT_MODEM_DRIVER_CMPLT_REQ_V01,
		.ei = ipa3_init_modem_driver_cmplt_req_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_INIT_MODEM_DRIVER_CMPLT_REQ_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(
		struct ipa_init_modem_driver_cmplt_req_msg_v01),
		.fn = ipa3_handle_modem_init_cmplt_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_MHI_ALLOC_CHANNEL_REQ_V01,
		.ei = ipa_mhi_alloc_channel_req_msg_v01_ei,
		.decoded_size =
		IPA_MHI_ALLOC_CHANNEL_REQ_MSG_V01_MAX_MSG_LEN,
		.decoded_size = sizeof(
		struct ipa_mhi_alloc_channel_req_msg_v01),
		.fn = ipa3_handle_mhi_alloc_channel_req,
		},
		{
		.type = QMI_REQUEST,
		.msg_id = QMI_IPA_MHI_CLK_VOTE_REQ_V01,
		.ei = ipa_mhi_clk_vote_req_msg_v01_ei,
		.decoded_size =
		IPA_MHI_CLK_VOTE_REQ_MSG_V01_MAX_MSG_LEN,
		.decoded_size = sizeof(struct ipa_mhi_clk_vote_req_msg_v01),
		.fn = ipa3_handle_mhi_vote_req,
		},

		@@ -1718,24 +1716,23 @@ static struct qmi_msg_handler client_handlers[] = {
		.type = QMI_INDICATION,
		.msg_id = QMI_IPA_DATA_USAGE_QUOTA_REACHED_IND_V01,
		.ei = ipa3_data_usage_quota_reached_ind_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_DATA_USAGE_QUOTA_REACHED_IND_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(
		struct ipa_data_usage_quota_reached_ind_msg_v01),
		.fn = ipa3_q6_clnt_quota_reached_ind_cb,
		},
		{
		.type = QMI_INDICATION,
		.msg_id = QMI_IPA_INSTALL_UL_FIREWALL_RULES_IND_V01,
		.ei = ipa3_install_fltr_rule_req_msg_data_v01_ei,
		.decoded_size =
		QMI_IPA_INSTALL_UL_FIREWALL_RULES_IND_MAX_MSG_LEN_V01,
		.decoded_size = sizeof(
		struct ipa_configure_ul_firewall_rules_ind_msg_v01),
		.fn = ipa3_q6_clnt_install_firewall_rules_ind_cb,
		},
		{
		.type = QMI_INDICATION,
		.msg_id = QMI_IPA_BW_CHANGE_INDICATION_V01,
		.ei = ipa_bw_change_ind_msg_v01_ei,
		.decoded_size =
		IPA_BW_CHANGE_IND_MSG_V01_MAX_MSG_LEN,
		.decoded_size = sizeof(struct ipa_bw_change_ind_msg_v01),
		.fn = ipa3_q6_clnt_bw_vhang_ind_cb,
		},
		};