Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b289b0e8 authored by Zhen Kong's avatar Zhen Kong Committed by Gerrit - the friendly Code Review server
Browse files

qseecom: correct range check in __qseecom_update_qteec_req_buf 



Make change to validate if there exists enough space to write a
struct qseecom_param_memref instead of a unit32 value, in the
request buffer in __qseecom_update_qteec_req_buf.

Change-Id: I4e092f7aa2b23648c2cedfada311828b9ceb35dc
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent a629752b

drivers/misc/qseecom.c

+4 −2
Original line number Diff line number Diff line
@@ -6842,9 +6842,11 @@ static int __qseecom_update_qteec_req_buf(struct qseecom_qteec_modfd_req *req, 
	for (i = 0; i < MAX_ION_FD; i++) {

		if (req->ifd_data[i].fd > 0) {

			ion_fd = req->ifd_data[i].fd;

			if ((req->req_len < sizeof(uint32_t)) ||

			if ((req->req_len <

				sizeof(struct qseecom_param_memref)) ||

				(req->ifd_data[i].cmd_buf_offset >

				req->req_len - sizeof(uint32_t))) {

				req->req_len -

				sizeof(struct qseecom_param_memref))) {

				pr_err("Invalid offset/req len 0x%x/0x%x\n",

					req->req_len,

					req->ifd_data[i].cmd_buf_offset);