Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4a6838dd authored by Amir Samuelov's avatar Amir Samuelov Committed by Gerrit - the friendly Code Review server
Browse files

spcom: check buf_size validity for user send command 



Check command buf size before allocating kernel buffer.

CRs-Fixed: 1094078
Change-Id: Ib03cd8c79966ff35863c1bde99089cac018ab45c
Signed-off-by: default avatarAmir Samuelov <amirs@codeaurora.org>
parent a3c6f163

drivers/soc/qcom/spcom.c

+22 −0
Original line number Diff line number Diff line
@@ -1310,6 +1310,16 @@ static int spcom_handle_send_command(struct spcom_channel *ch, 


	pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);



	/*

	 * check that cmd buf size is at least struct size,

	 * to allow access to struct fields.

	 */

	if (size < sizeof(*cmd)) {

		pr_err("ch [%s] invalid cmd buf.\n",

			ch->name);

		return -EINVAL;

	}



	/* Check if remote side connect */

	if (!spcom_is_channel_connected(ch)) {

		pr_err("ch [%s] remote side not connect.\n", ch->name);
@@ -1321,6 +1331,18 @@ static int spcom_handle_send_command(struct spcom_channel *ch, 
	buf_size = cmd->buf_size;

	timeout_msec = cmd->timeout_msec;



	/* Check param validity */

	if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {

		pr_err("ch [%s] invalid buf size [%d].\n",

			ch->name, buf_size);

		return -EINVAL;

	}

	if (size != sizeof(*cmd) + buf_size) {

		pr_err("ch [%s] invalid cmd size [%d].\n",

			ch->name, size);

		return -EINVAL;

	}



	/* Allocate Buffers*/

	tx_buf_size = sizeof(*hdr) + buf_size;

	tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);