Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f9a9be74 authored by Praveen Kurapati's avatar Praveen Kurapati Committed by Gerrit - the friendly Code Review server
Browse files

msm: ipa3: Fix to validate the buffer size 



Adding code changes to validate buffer size.
While calling ipa_read verifying the kernel buffer
size in range or not.

Change-Id: I5c9a908b0500a5f0148ec7764425897570bdd713
Signed-off-by: default avatarPraveen Kurapati <pkurapat@codeaurora.org>
parent f7a9286e

drivers/platform/msm/ipa/ipa_v3/ipa_intf.c

+16 −3
Original line number Diff line number Diff line 
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.

/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -742,6 +742,12 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count, 
		if (msg) {

			locked = 0;

			mutex_unlock(&ipa3_ctx->msg_lock);

			if (count < sizeof(struct ipa_msg_meta)) {

				kfree(msg);

				msg = NULL;

				ret = -EFAULT;

				break;

			}

			if (copy_to_user(buf, &msg->meta,

					  sizeof(struct ipa_msg_meta))) {

				ret = -EFAULT;
@@ -752,6 +758,7 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count, 
			buf += sizeof(struct ipa_msg_meta);

			count -= sizeof(struct ipa_msg_meta);

			if (msg->buff) {

				if (count >= msg->meta.msg_len) {

					if (copy_to_user(buf, msg->buff,

							msg->meta.msg_len)) {

						ret = -EFAULT;
@@ -759,6 +766,12 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count, 
						msg = NULL;

						break;

					}

				} else {

					ret = -EFAULT;

					kfree(msg);

					msg = NULL;

					break;

				}

				buf += msg->meta.msg_len;

				count -= msg->meta.msg_len;

				msg->callback(msg->buff, msg->meta.msg_len,