Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 444ab61f authored by Rahul Sharma's avatar Rahul Sharma Committed by Gerrit - the friendly Code Review server
Browse files

msm: sensor: Fix to validate the settings size in flash 



The size of the settings, copied from userspace, is directly checked
in msm_cci_data_queue with CCI_I2C_MAX_WRITE. This might cause
out of bound access in function msm_cci_data_queue as the max size is
MAX_I2C_REG_SET. Hence adding check on the size in flash driver itself.

Change-Id: Iaf8b62815282386af58d1b111876cc80411385a0
CR fixed: 2062894
Signed-off-by: default avatarRahul Sharma <sharah@codeaurora.org>
parent fe807a6a

drivers/media/platform/msm/ais/sensor/flash/msm_flash.c

+7 −0
Original line number Diff line number Diff line
@@ -152,6 +152,13 @@ static int32_t msm_flash_i2c_write_table( 
	conf_array.reg_setting = settings->reg_setting_a;

	conf_array.size = settings->size;



	/* Validate the settings size */

	if ((!conf_array.size) || (conf_array.size > MAX_I2C_REG_SET)) {

		pr_err("failed: invalid size %d", conf_array.size);

		return -EINVAL;

	}





	return flash_ctrl->flash_i2c_client.i2c_func_tbl->i2c_write_table(

		&flash_ctrl->flash_i2c_client, &conf_array);

}