msm: cpp: Fix for buffer overflow in cpp.

Fix for buffer overflow while handling ioctl. Instead of checking for length boundary, fix checks for exact length. CRs-Fixed: 518731 Change-Id: I9002f84b219e8b06ae0672d87c2d999e728a75aa Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
author: Krishnankutty Kolathappilly <kkolatha@codeaurora.org> 2016-11-16 18:22:58 -0800
committer: Krishnankutty Kolathappilly <kkolatha@codeaurora.org> 2016-11-21 11:55:28 -0800
commit: 0c7eaae62abb514196863cc596090ca23ef80612 (patch)
tree: ab7d16f6bde40846d207f2e1a66e8aed7a20cb2e
parent: 4a91ea36cbf0f5a782b5b6f69604ed70bd0ab6ba (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index ab074ffbcdfb..b9018a226f2f 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -3031,8 +3031,7 @@ STREAM_BUFF_END:
 		uint32_t identity;
 		struct msm_cpp_buff_queue_info_t *buff_queue_info;
 		CPP_DBG("VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO\n");
-		if ((ioctl_ptr->len == 0) ||
-		    (ioctl_ptr->len > sizeof(uint32_t))) {
+		if (ioctl_ptr->len != sizeof(uint32_t)) {
 			mutex_unlock(&cpp_dev->mutex);
 			return -EINVAL;
 		}
author	Krishnankutty Kolathappilly <kkolatha@codeaurora.org>	2016-11-16 18:22:58 -0800
committer	Krishnankutty Kolathappilly <kkolatha@codeaurora.org>	2016-11-21 11:55:28 -0800
commit	0c7eaae62abb514196863cc596090ca23ef80612 (patch)
tree	ab7d16f6bde40846d207f2e1a66e8aed7a20cb2e
parent	4a91ea36cbf0f5a782b5b6f69604ed70bd0ab6ba (diff)