Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e8fff7e7 authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "qseecom: correct range check in __qseecom_update_qteec_req_buf"

parents 3991d742 b289b0e8
Loading
Loading
Loading
Loading
+4 −2
Original line number Original line Diff line number Diff line
@@ -6870,9 +6870,11 @@ static int __qseecom_update_qteec_req_buf(struct qseecom_qteec_modfd_req *req,
	for (i = 0; i < MAX_ION_FD; i++) {
	for (i = 0; i < MAX_ION_FD; i++) {
		if (req->ifd_data[i].fd > 0) {
		if (req->ifd_data[i].fd > 0) {
			ion_fd = req->ifd_data[i].fd;
			ion_fd = req->ifd_data[i].fd;
			if ((req->req_len < sizeof(uint32_t)) ||
			if ((req->req_len <
				sizeof(struct qseecom_param_memref)) ||
				(req->ifd_data[i].cmd_buf_offset >
				(req->ifd_data[i].cmd_buf_offset >
				req->req_len - sizeof(uint32_t))) {
				req->req_len -
				sizeof(struct qseecom_param_memref))) {
				pr_err("Invalid offset/req len 0x%x/0x%x\n",
				pr_err("Invalid offset/req len 0x%x/0x%x\n",
					req->req_len,
					req->req_len,
					req->ifd_data[i].cmd_buf_offset);
					req->ifd_data[i].cmd_buf_offset);