Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7edae762 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: ipa: check the nat table offset sizes"

parents 5f16ec59 9c7005f7

drivers/platform/msm/ipa/ipa_nat.c

+79 −13
Original line number Original line Diff line number Diff line
@@ -303,27 +303,93 @@ bail: 
 */

 */

int ipa_nat_init_cmd(struct ipa_ioc_v4_nat_init *init)

int ipa_nat_init_cmd(struct ipa_ioc_v4_nat_init *init)

{

{

#define TBL_ENTRY_SIZE 32

#define INDX_TBL_ENTRY_SIZE 4



	struct ipa_register_write *reg_write_nop;

	struct ipa_register_write *reg_write_nop;

	struct ipa_desc desc[2];

	struct ipa_desc desc[2];

	struct ipa_ip_v4_nat_init *cmd;

	struct ipa_ip_v4_nat_init *cmd;

	u16 size = sizeof(struct ipa_ip_v4_nat_init);

	u16 size = sizeof(struct ipa_ip_v4_nat_init);

	int result;

	int result;

	u32 offset = 0;

	u32 offset = 0;

	size_t tmp;





	IPADBG("\n");

	IPADBG("\n");

	if (init->table_entries == 0) {

	if (init->table_entries == 0) {

		IPADBG("Table index or entries is zero\n");

		IPADBG("Table entries is zero\n");

		result = -EPERM;

		return -EPERM;

		goto bail;

	}

	}





	/* check for integer overflow */

	if (init->ipv4_rules_offset >= ipa_ctx->nat_mem.size ||

	if (init->ipv4_rules_offset >

	    init->index_offset >= ipa_ctx->nat_mem.size ||

		UINT_MAX - (TBL_ENTRY_SIZE * (init->table_entries + 1))) {

	    init->expn_rules_offset >= ipa_ctx->nat_mem.size ||

			IPAERR("Detected overflow\n");

	    init->index_expn_offset >= ipa_ctx->nat_mem.size) {

			return -EPERM;

		IPAERR("Table rules offset are not valid\n");

	}

		result = -EPERM;

	/* Check Table Entry offset is not

		goto bail;

	   beyond allocated size */

	tmp = init->ipv4_rules_offset +

		(TBL_ENTRY_SIZE * (init->table_entries + 1));

	if (tmp > ipa_ctx->nat_mem.size) {

		IPAERR("Table rules offset not valid\n");

		IPAERR("offset:%d entrys:%d size:%zu mem_size:%zu\n",

			init->ipv4_rules_offset, (init->table_entries + 1),

			tmp, ipa_ctx->nat_mem.size);

		return -EPERM;

	}



	/* check for integer overflow */

	if (init->expn_rules_offset >

		UINT_MAX - (TBL_ENTRY_SIZE * init->expn_table_entries)) {

			IPAERR("Detected overflow\n");

			return -EPERM;

	}

	/* Check Expn Table Entry offset is not

	   beyond allocated size */

	tmp = init->expn_rules_offset +

		(TBL_ENTRY_SIZE * init->expn_table_entries);

	if (tmp > ipa_ctx->nat_mem.size) {

		IPAERR("Expn Table rules offset not valid\n");

		IPAERR("offset:%d entrys:%d size:%zu mem_size:%zu\n",

			init->expn_rules_offset, init->expn_table_entries,

			tmp, ipa_ctx->nat_mem.size);

		return -EPERM;

	}



  /* check for integer overflow */

	if (init->index_offset >

		UINT_MAX - (INDX_TBL_ENTRY_SIZE * (init->table_entries + 1))) {

			IPAERR("Detected overflow\n");

			return -EPERM;

	}

	/* Check Indx Table Entry offset is not

	   beyond allocated size */

	tmp = init->index_offset +

		(INDX_TBL_ENTRY_SIZE * (init->table_entries + 1));

	if (tmp > ipa_ctx->nat_mem.size) {

		IPAERR("Indx Table rules offset not valid\n");

		IPAERR("offset:%d entrys:%d size:%zu mem_size:%zu\n",

			init->index_offset, (init->table_entries + 1),

			tmp, ipa_ctx->nat_mem.size);

		return -EPERM;

	}



  /* check for integer overflow */

	if (init->index_expn_offset >

		UINT_MAX - (INDX_TBL_ENTRY_SIZE * init->expn_table_entries)) {

			IPAERR("Detected overflow\n");

			return -EPERM;

	}

	/* Check Expn Table entry offset is not

	   beyond allocated size */

	tmp = init->index_expn_offset +

		(INDX_TBL_ENTRY_SIZE * init->expn_table_entries);

	if (tmp > ipa_ctx->nat_mem.size) {

		IPAERR("Indx Expn Table rules offset not valid\n");

		IPAERR("offset:%d entrys:%d size:%zu mem_size:%zu\n",

			init->index_expn_offset, init->expn_table_entries,

			tmp, ipa_ctx->nat_mem.size);

		return -EPERM;

	}

	}





	memset(&desc, 0, sizeof(desc));

	memset(&desc, 0, sizeof(desc));