Commit b2259f67 authored Nov 16, 2016 by Krishnankutty Kolathappilly Committed by Gerrit - the friendly Code Review server Dec 12, 2016

msm: cpp: Fix for buffer overflow in cpp.



Fix for buffer overflow while handling ioctl.
Instead of checking for length boundary, fix checks
for exact length.

CRs-Fixed: 518731
Change-Id: I9002f84b219e8b06ae0672d87c2d999e728a75aa
Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>

parent 84267122

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -3080,8 +3080,7 @@ STREAM_BUFF_END:
		uint32_t identity;
		struct msm_cpp_buff_queue_info_t *buff_queue_info;
		CPP_DBG("VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO\n");
		if ((ioctl_ptr->len == 0) \|\|
		(ioctl_ptr->len > sizeof(uint32_t))) {
		if (ioctl_ptr->len != sizeof(uint32_t)) {
		mutex_unlock(&cpp_dev->mutex);
		return -EINVAL;
		}