Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33b24612 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: ipa: Add check to avoid to integer overflow"

parents 5904d2cc b962a82e

drivers/platform/msm/ipa/ipa_nat.c

+21 −0
Original line number Diff line number Diff line
@@ -225,6 +225,7 @@ int ipa_nat_init_cmd(struct ipa_ioc_v4_nat_init *init) 
	struct ipa_ip_v4_nat_init *cmd;

	u16 size = sizeof(struct ipa_ip_v4_nat_init);

	int result;

	u32 offset = 0;



	IPADBG("\n");

	if (init->tbl_index < 0 || init->table_entries <= 0) {
@@ -245,6 +246,26 @@ int ipa_nat_init_cmd(struct ipa_ioc_v4_nat_init *init) 
		cmd->index_table_addr_type = IPA_NAT_SYSTEM_MEMORY;

		cmd->index_table_expansion_addr_type = IPA_NAT_SYSTEM_MEMORY;



		offset = UINT_MAX - ipa_ctx->nat_mem.dma_handle;



		if ((init->ipv4_rules_offset > offset) ||

			(init->expn_rules_offset > offset) ||

			(init->index_offset > offset) ||

			(init->index_expn_offset > offset)) {

			IPAERR("Failed due to integer overflow\n");

			IPAERR("nat.mem.dma_handle: 0x%x\n",

				ipa_ctx->nat_mem.dma_handle);

			IPAERR("ipv4_rules_offset: 0x%x\n",

				init->ipv4_rules_offset);

			IPAERR("expn_rules_offset: 0x%x\n",

				init->expn_rules_offset);

			IPAERR("index_offset: 0x%x\n",

				init->index_offset);

			IPAERR("index_expn_offset: 0x%x\n",

				init->index_expn_offset);

			result = -EPERM;

			goto free_cmd;

		}

		cmd->ipv4_rules_addr =

			ipa_ctx->nat_mem.dma_handle + init->ipv4_rules_offset;

		IPADBG("ipv4_rules_offset:0x%x\n", init->ipv4_rules_offset);