Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b1bc773c authored by Zhen Kong's avatar Zhen Kong Committed by Gerrit - the friendly Code Review server
Browse files

qseecom: Validate pointer offset in qseecom_send_modfd_cmd 



Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
make sure cmd buffer address to be within shared bufffer.

Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent 27a70795

drivers/misc/qseecom.c

+7 −0
Original line number Diff line number Diff line
@@ -1635,6 +1635,13 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data, 
		pr_err("response buffer address not within shared bufffer\n");

		return -EINVAL;

	}



	if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||

		req.resp_len > data->client.sb_length) {

		pr_err("cmd or response buffer length not valid\n");

		return -EINVAL;

	}



	send_cmd_req.cmd_req_buf = req.cmd_req_buf;

	send_cmd_req.cmd_req_len = req.cmd_req_len;

	send_cmd_req.resp_buf = req.resp_buf;