Loading drivers/misc/qseecom.c +29 −1 Original line number Diff line number Diff line Loading @@ -3703,6 +3703,33 @@ int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req, return 0; } static int __boundary_checks_offset_64(struct qseecom_send_modfd_cmd_req *req, struct qseecom_send_modfd_listener_resp *lstnr_resp, struct qseecom_dev_handle *data, int i) { if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < sizeof(uint64_t)) || (req->ifd_data[i].cmd_buf_offset > req->cmd_req_len - sizeof(uint64_t))) { pr_err("Invalid offset (req len) 0x%x\n", req->ifd_data[i].cmd_buf_offset); return -EINVAL; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < sizeof(uint64_t)) || (lstnr_resp->ifd_data[i].cmd_buf_offset > lstnr_resp->resp_len - sizeof(uint64_t))) { pr_err("Invalid offset (lstnr resp len) 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } } return 0; } static int __qseecom_update_cmd_buf(void *msg, bool cleanup, struct qseecom_dev_handle *data) { Loading Loading @@ -4046,7 +4073,8 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup, if (sg_ptr->nents == 1) { uint64_t *update_64bit; if (__boundary_checks_offset(req, lstnr_resp, data, i)) if (__boundary_checks_offset_64(req, lstnr_resp, data, i)) goto err; /* 64bit app uses 64bit address */ update_64bit = (uint64_t *) field; Loading Loading
drivers/misc/qseecom.c +29 −1 Original line number Diff line number Diff line Loading @@ -3703,6 +3703,33 @@ int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req, return 0; } static int __boundary_checks_offset_64(struct qseecom_send_modfd_cmd_req *req, struct qseecom_send_modfd_listener_resp *lstnr_resp, struct qseecom_dev_handle *data, int i) { if ((data->type != QSEECOM_LISTENER_SERVICE) && (req->ifd_data[i].fd > 0)) { if ((req->cmd_req_len < sizeof(uint64_t)) || (req->ifd_data[i].cmd_buf_offset > req->cmd_req_len - sizeof(uint64_t))) { pr_err("Invalid offset (req len) 0x%x\n", req->ifd_data[i].cmd_buf_offset); return -EINVAL; } } else if ((data->type == QSEECOM_LISTENER_SERVICE) && (lstnr_resp->ifd_data[i].fd > 0)) { if ((lstnr_resp->resp_len < sizeof(uint64_t)) || (lstnr_resp->ifd_data[i].cmd_buf_offset > lstnr_resp->resp_len - sizeof(uint64_t))) { pr_err("Invalid offset (lstnr resp len) 0x%x\n", lstnr_resp->ifd_data[i].cmd_buf_offset); return -EINVAL; } } return 0; } static int __qseecom_update_cmd_buf(void *msg, bool cleanup, struct qseecom_dev_handle *data) { Loading Loading @@ -4046,7 +4073,8 @@ static int __qseecom_update_cmd_buf_64(void *msg, bool cleanup, if (sg_ptr->nents == 1) { uint64_t *update_64bit; if (__boundary_checks_offset(req, lstnr_resp, data, i)) if (__boundary_checks_offset_64(req, lstnr_resp, data, i)) goto err; /* 64bit app uses 64bit address */ update_64bit = (uint64_t *) field; Loading