Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bdc8e579 authored by Subbaraman Narayanamurthy's avatar Subbaraman Narayanamurthy
Browse files

power: supply: qti-battery-charger: Fix buffer handling in handle_message() 



Currently, prop_id (u32) and val (u32) are obtained for all messages
in handle_message(). However, the response for notification request
doesn't have the same payload but only an u32 return code. Because
of this, an unintentional memory read for u32 is being made even
though it is not used.

Fix this by getting prop_id and val only for response messages that
are intended to get battery/USB/wireless power supply properties.

CRs-Fixed: 2655408
Change-Id: I4d17d965f911eb6a4357e29117191f78830e9e5c
Signed-off-by: default avatarSubbaraman Narayanamurthy <subbaram@codeaurora.org>
parent 17c22334

drivers/power/supply/qti_battery_charger.c

+11 −10
Original line number Diff line number Diff line
@@ -317,10 +317,9 @@ int qti_battery_charger_get_prop(const char *name, 
}

EXPORT_SYMBOL(qti_battery_charger_get_prop);



static bool validate_message(void *data, size_t len)

static bool validate_message(struct battery_charger_resp_msg *resp_msg,

				size_t len)

{

	struct battery_charger_resp_msg *resp_msg = data;



	if (len != sizeof(*resp_msg)) {

		pr_err("Incorrect response length %zu for opcode %#x\n", len,

			resp_msg->hdr.opcode);
@@ -342,7 +341,6 @@ static void handle_message(struct battery_chg_dev *bcdev, void *data, 
{

	struct battery_charger_resp_msg *resp_msg = data;

	struct battery_model_resp_msg *model_resp_msg = data;

	u32 prop_id = resp_msg->property_id, val = resp_msg->value;

	struct psy_state *pst;

	bool ack_set = false;
@@ -358,24 +356,27 @@ static void handle_message(struct battery_chg_dev *bcdev, void *data, 
		}



		/* Other response should be of same type as they've u32 value */

		if (validate_message(data, len) && prop_id < pst->prop_count) {

			pst->prop[prop_id] = val;

		if (validate_message(resp_msg, len) &&

		    resp_msg->property_id < pst->prop_count) {

			pst->prop[resp_msg->property_id] = resp_msg->value;

			ack_set = true;

		}



		break;

	case BC_USB_STATUS_GET:

		pst = &bcdev->psy_list[PSY_TYPE_USB];

		if (validate_message(data, len) && prop_id < pst->prop_count) {

			pst->prop[prop_id] = val;

		if (validate_message(resp_msg, len) &&

		    resp_msg->property_id < pst->prop_count) {

			pst->prop[resp_msg->property_id] = resp_msg->value;

			ack_set = true;

		}



		break;

	case BC_WLS_STATUS_GET:

		pst = &bcdev->psy_list[PSY_TYPE_WLS];

		if (validate_message(data, len) && prop_id < pst->prop_count) {

			pst->prop[prop_id] = val;

		if (validate_message(resp_msg, len) &&

		    resp_msg->property_id < pst->prop_count) {

			pst->prop[resp_msg->property_id] = resp_msg->value;

			ack_set = true;

		}