Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e404838e authored by Srinivasarao Pathipati's avatar Srinivasarao Pathipati
Browse files

haven: hh_rm_core: Check payload size in hh_rm_init_connection_buff() 



Ensure that the payload being copied to the connection's recv_buff
buffer does not exceed the buffer's maximum size.

Change-Id: Ic0e0b894e7746430916b24f45e583822ccea2748
Signed-off-by: default avatarSrinivasarao Pathipati <quic_spathi@quicinc.com>
parent 6acb487b

drivers/virt/haven/hh_rm_core.c

+10 −3
Original line number Diff line number Diff line
@@ -90,18 +90,25 @@ hh_rm_init_connection_buff(struct hh_rm_connection *connection, 
				size_t payload_size)

{

	struct hh_rm_rpc_hdr *hdr = recv_buff;

	size_t max_buf_size;



	/* Some of the 'reply' types doesn't contain any payload */

	if (!payload_size)

		return 0;



	max_buf_size = (HH_MSGQ_MAX_MSG_SIZE_BYTES - hdr_size) *

			(hdr->fragments + 1);



	if (payload_size > max_buf_size) {

		pr_err("%s: Payload size exceeds max buff size\n", __func__);

		return -EINVAL;

	}



	/* If the data is split into multiple fragments, allocate a large

	 * enough buffer to hold the payloads for all the fragments.

	 */

	connection->recv_buff = connection->current_recv_buff =

		kzalloc((HH_MSGQ_MAX_MSG_SIZE_BYTES - hdr_size) *

			(hdr->fragments + 1),

			GFP_KERNEL);

				kzalloc(max_buf_size, GFP_KERNEL);

	if (!connection->recv_buff)

		return -ENOMEM;