Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ab0f8613 authored by Kaushal Hooda's avatar Kaushal Hooda
Browse files

rpmsg: slatecom: maintain rx_size to read 



For cmd close_ack or open request where rx_size is being
incrementing with respect to offset might lead to out of
bound read from rx_data.

Decrease rx_size as we process commands.

Change-Id: I492eadcbebb78386fc20f744eb9ad8db4a2914fc
Signed-off-by: default avatarKaushal Hooda <quic_khooda@quicinc.com>
parent 58e40179

drivers/rpmsg/qcom_glink_slatecom.c

+2 −2
Original line number Diff line number Diff line
@@ -1935,7 +1935,7 @@ static void glink_slatecom_process_cmd(struct glink_slatecom *glink, void *rx_da 
		case SLATECOM_CMD_CLOSE_ACK:

			glink_slatecom_rx_defer(glink,

					   rx_data + offset - sizeof(*msg),

					   rx_size + offset - sizeof(*msg), 0);

					   rx_size - offset + sizeof(*msg), 0);

			break;

		case SLATECOM_CMD_RX_INTENT_REQ:

			glink_slatecom_handle_intent_req(glink, param1, param2);
@@ -1948,7 +1948,7 @@ static void glink_slatecom_process_cmd(struct glink_slatecom *glink, void *rx_da 
			name = rx_data + offset;

			glink_slatecom_rx_defer(glink,

					   rx_data + offset - sizeof(*msg),

					   rx_size + offset - sizeof(*msg),

					   rx_size - offset + sizeof(*msg),

					   ALIGN(name_len, SLATECOM_ALIGNMENT));



			offset += ALIGN(name_len, SLATECOM_ALIGNMENT);