Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a13f71e8 authored by Jeya R's avatar Jeya R
Browse files

msm: adsprpc: Add checks to avoid buffer overflow 



Do integer overflow check on the length of buffer
to be copied before copying to the buffer.

Change-Id: I425861170125fb3069739af84975c4893462624e
Acked-by: default avatarChenna Kesava Raju <chennak@qti.qualcomm.com>
Signed-off-by: default avatarJeya R <jeyr@codeaurora.org&gt;`>
parent 2b4df556

drivers/char/adsprpc.c

+4 −3
Original line number Diff line number Diff line
@@ -2230,7 +2230,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
	int outbufs = REMOTE_SCALARS_OUTBUFS(sc);

	int handles, bufs = inbufs + outbufs;

	uintptr_t args = 0;

	size_t rlen = 0, copylen = 0, metalen = 0, lrpralen = 0;

	size_t rlen = 0, copylen = 0, metalen = 0, lrpralen = 0, templen = 0;

	size_t totallen = 0; //header and non ion copy buf len

	int i, oix;

	int err = 0, j = 0;
@@ -2328,12 +2328,13 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
			copylen = ALIGN(copylen, BALIGN);

		mstart = ctx->overps[oix]->mstart;

		mend = ctx->overps[oix]->mend;

		VERIFY(err, (mend - mstart) <= LONG_MAX);

		templen = mend - mstart;

		VERIFY(err, ((templen <= LONG_MAX) && (copylen <= (LONG_MAX - templen))));

		if (err) {

			err = -EFAULT;

			goto bail;

		}

		copylen += mend - mstart;

		copylen += templen;

	}

	totallen = ALIGN(totallen, BALIGN) + copylen;