Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c52c4727 authored by Piyush Dhyani's avatar Piyush Dhyani
Browse files

msm: ipa3: Fix to prevent Integer Overflow 



The value of `req->filter_spec_ex2_list_len`
is user input via ioctl and it's type is uint32,
so an integer overflow may occur. Which can result
in out of bound access in the following loop. Now
add changes to prevent Integer overflow.

Change-Id: Ia29b9ddc674e5dd3d5baf6623cf0a464c156d8f7
Signed-off-by: default avatarPiyush Dhyani <pdhyani@codeaurora.org>
parent 9e84b183

drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c

+9 −5
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2013-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2013-2021, The Linux Foundation. All rights reserved.

 */



#include <linux/module.h>
@@ -930,7 +930,10 @@ int ipa3_qmi_add_offload_request_send( 
	}



	/* check if the filter rules from IPACM is valid */

	if (req->filter_spec_ex2_list_len == 0) {

	if (req->filter_spec_ex2_list_len < 0) {

		IPAWANERR("IPACM pass invalid num of rules\n");

		return -EINVAL;

	} else if (req->filter_spec_ex2_list_len == 0) {

		IPAWANDBG("IPACM pass zero rules to Q6\n");

	} else {

		IPAWANDBG("IPACM pass %u rules to Q6\n",
@@ -938,9 +941,10 @@ int ipa3_qmi_add_offload_request_send( 
	}



	/* currently set total max to 64 */

	if (req->filter_spec_ex2_list_len +

		ipa3_qmi_ctx->num_ipa_offload_connection

		>= QMI_IPA_MAX_FILTERS_V01) {

	if ((ipa3_qmi_ctx->num_ipa_offload_connection < 0) ||

		(req->filter_spec_ex2_list_len >=

		(QMI_IPA_MAX_FILTERS_V01 -

			ipa3_qmi_ctx->num_ipa_offload_connection))) {

		IPAWANDBG(

		"cur(%d), req(%d), exceed limit (%d)\n",

			ipa3_qmi_ctx->num_ipa_offload_connection,