Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 25865f69 authored by Abir Ghosh's avatar Abir Ghosh Committed by Gerrit - the friendly Code Review server
Browse files

qbt1000: Fix for incorrect buffer size check and integer overflow 



Fix an incorrect buffer size check which might have caused integer
overflow.

CRs-Fixed: 2045285
Change-Id: I3b5b996c7405f51b488d6cbda31c81a9a9905f23
Signed-off-by: default avatarAbir Ghosh <abirg@codeaurora.org>
parent ace73576

drivers/soc/qcom/qbt1000.c

+6 −7
Original line number Diff line number Diff line
@@ -145,18 +145,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl, 
	uint32_t *rsp_len)

{

	/* 64 bytes alignment for QSEECOM */

	*cmd_len = ALIGN(*cmd_len, 64);

	*rsp_len = ALIGN(*rsp_len, 64);

	uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64);

	uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64);



	if (((uint64_t)*rsp_len + (uint64_t)*cmd_len)

			> (uint64_t)g_app_buf_size) {

		pr_err("buffer too small to hold cmd=%d and rsp=%d\n",

			*cmd_len, *rsp_len);

	if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size)

		return -ENOMEM;

	}



	*cmd = hdl->sbuf;

	*cmd_len = aligned_cmd_len;

	*rsp = hdl->sbuf + *cmd_len;

	*rsp_len = aligned_rsp_len;



	return 0;

}