Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21fbc0b4 authored by E V Ravi's avatar E V Ravi Committed by Gerrit - the friendly Code Review server
Browse files

msm: ais: Validate packet params against cpu buffer length 



Modifying validate packet in cam utils and its callers to provide cpu
buffer length which is used in validation of number of cmd buffers,
io configs and patches.

Change-Id: Ifdb627759befc93e029c4948e630ba6ce63a76ca
Signed-off-by: default avatarE V Ravi <evenka@codeaurora.org>
parent e51cbabd

drivers/media/platform/msm/ais/cam_cdm/cam_cdm_virtual_core.c

+1 −1
Original line number Diff line number Diff line
@@ -120,7 +120,7 @@ int cam_virtual_cdm_submit_bl(struct cam_hw_info *cdm_hw, 
			(len >= cdm_cmd->cmd[i].offset)) {





			if ((len - cdm_cmd->cmd[i].offset) <

			if ((len - cdm_cmd->cmd[i].offset) <=

				cdm_cmd->cmd[i].len) {

				CAM_ERR(CAM_CDM, "Not enough buffer");

				rc = -EINVAL;

drivers/media/platform/msm/ais/cam_isp/cam_isp_context.c

+2 −1
Original line number Diff line number Diff line
@@ -147,7 +147,8 @@ static void cam_isp_ctx_dump_req(struct cam_isp_ctx_req *req_isp) 
			}

			remain_len = len - req_isp->cfg[i].offset;



			if (req_isp->cfg[i].len > remain_len) {

			if ((req_isp->cfg[i].len > remain_len) ||

				(req_isp->cfg[i].len == 0)) {

				CAM_ERR(CAM_ISP, "Invalid offset");

				need_put = true;

			}

drivers/media/platform/msm/ais/cam_sensor_module/cam_actuator/cam_actuator_core.c

+1 −0
Original line number Diff line number Diff line
@@ -523,6 +523,7 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, 
			remain_len = len_of_buff - cmd_desc[i].offset;

			cmd_buf += cmd_desc[i].offset / sizeof(uint32_t);

			cmm_hdr = (struct common_header *)cmd_buf;

			remain_len -= sizeof(struct common_header);



			switch (cmm_hdr->cmd_type) {

			case CAMERA_SENSOR_CMD_TYPE_I2C_INFO:

drivers/media/platform/msm/ais/cam_utils/cam_packet_util.c

+2 −1
Original line number Diff line number Diff line
@@ -131,7 +131,7 @@ int cam_packet_util_get_kmd_buffer(struct cam_packet *packet, 


	remain_len = len;

	if (((size_t)cmd_desc->offset >= len) ||

		((size_t)cmd_desc->size > (len - (size_t)cmd_desc->offset))) {

		((size_t)cmd_desc->size >= (len - (size_t)cmd_desc->offset))) {

		CAM_ERR(CAM_UTIL, "invalid memory len:%zd and cmd desc size:%d",

			len, cmd_desc->size);

		rc = -EINVAL;
@@ -147,6 +147,7 @@ int cam_packet_util_get_kmd_buffer(struct cam_packet *packet, 
	}



	cpu_addr += (cmd_desc->offset / 4) + (packet->kmd_cmd_buf_offset / 4);

	remain_len -= packet->kmd_cmd_buf_offset;

	CAM_DBG(CAM_UTIL, "total size %d, cmd size: %d, KMD buffer size: %d",

		cmd_desc->size, cmd_desc->length,

		cmd_desc->size - cmd_desc->length);