Merge "crypto: msm: check invalid src and dst vbuf in qcedev.c" (39668d40) · Commits · e / devices / android_kernel_sony_msm8998

drivers/crypto/msm/qcedev.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -1490,6 +1490,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
		}
		/* Check for sum of all dst length is equal to data_len */
		for (i = 0, total = 0; i < req->entries; i++) {
		if (!req->vbuf.dst[i].vaddr && req->vbuf.dst[i].len) {
		pr_err("%s: NULL req dst vbuf[%d] with length %d\n",
		__func__, i, req->vbuf.dst[i].len);
		goto error;
		}
		if (req->vbuf.dst[i].len >= U32_MAX - total) {
		pr_err("%s: Integer overflow on total req dst vbuf length\n",
		__func__);
		@@ -1504,6 +1509,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
		}
		/* Check for sum of all src length is equal to data_len */
		for (i = 0, total = 0; i < req->entries; i++) {
		if (!req->vbuf.src[i].vaddr && req->vbuf.src[i].len) {
		pr_err("%s: NULL req src vbuf[%d] with length %d\n",
		__func__, i, req->vbuf.src[i].len);
		goto error;
		}
		if (req->vbuf.src[i].len > U32_MAX - total) {
		pr_err("%s: Integer overflow on total req src vbuf length\n",
		__func__);