Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b1bc773c authored by Zhen Kong's avatar Zhen Kong Committed by Gerrit - the friendly Code Review server
Browse files

qseecom: Validate pointer offset in qseecom_send_modfd_cmd



Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
make sure cmd buffer address to be within shared bufffer.

Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent 27a70795
Loading
Loading
Loading
Loading
+7 −0
Original line number Diff line number Diff line
@@ -1635,6 +1635,13 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
		pr_err("response buffer address not within shared bufffer\n");
		return -EINVAL;
	}

	if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||
		req.resp_len > data->client.sb_length) {
		pr_err("cmd or response buffer length not valid\n");
		return -EINVAL;
	}

	send_cmd_req.cmd_req_buf = req.cmd_req_buf;
	send_cmd_req.cmd_req_len = req.cmd_req_len;
	send_cmd_req.resp_buf = req.resp_buf;