diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2016-12-06 14:33:41 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-12-06 14:33:40 -0800 |
| commit | 528cc477ec948cda7f83b4ef77be492f760018da (patch) | |
| tree | 2969402ab24e9b54d68c32a2968f729ed5c21bbf | |
| parent | 8811d36f9545ea3c94fe30849457e2f704536e80 (diff) | |
| parent | 42e0f618e96a64e892a1c50e3d1b5420ecb4b997 (diff) | |
Merge "msm: camera: sensor: Validate eeprom_name string length"
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c | 22 | ||||
| -rw-r--r-- | include/uapi/media/msm_cam_sensor.h | 2 |
2 files changed, 19 insertions, 5 deletions
diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c index ab87b2fabf2f..e60947ecad21 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c +++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c @@ -619,6 +619,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl, struct msm_eeprom_cfg_data *cdata = (struct msm_eeprom_cfg_data *)argp; int rc = 0; + size_t length = 0; CDBG("%s E\n", __func__); switch (cdata->cfgtype) { @@ -631,9 +632,15 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl, } CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__); cdata->is_supported = e_ctrl->is_supported; + length = strlen(e_ctrl->eboard_info->eeprom_name) + 1; + if (length > MAX_EEPROM_NAME) { + pr_err("%s:%d invalid eeprom_name length %d\n", + __func__, __LINE__, (int)length); + rc = -EINVAL; + break; + } memcpy(cdata->cfg.eeprom_name, - e_ctrl->eboard_info->eeprom_name, - sizeof(cdata->cfg.eeprom_name)); + e_ctrl->eboard_info->eeprom_name, length); break; case CFG_EEPROM_GET_CAL_DATA: CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__); @@ -1473,6 +1480,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl, struct msm_eeprom_cfg_data32 *cdata = (struct msm_eeprom_cfg_data32 *)argp; int rc = 0; + size_t length = 0; CDBG("%s E\n", __func__); switch (cdata->cfgtype) { @@ -1485,9 +1493,15 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl, } CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__); cdata->is_supported = e_ctrl->is_supported; + length = strlen(e_ctrl->eboard_info->eeprom_name) + 1; + if (length > MAX_EEPROM_NAME) { + pr_err("%s:%d invalid eeprom_name length %d\n", + __func__, __LINE__, (int)length); + rc = -EINVAL; + break; + } memcpy(cdata->cfg.eeprom_name, - e_ctrl->eboard_info->eeprom_name, - sizeof(cdata->cfg.eeprom_name)); + e_ctrl->eboard_info->eeprom_name, length); break; case CFG_EEPROM_GET_CAL_DATA: CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__); diff --git a/include/uapi/media/msm_cam_sensor.h b/include/uapi/media/msm_cam_sensor.h index 172545d34b7d..c6144cd8f355 100644 --- a/include/uapi/media/msm_cam_sensor.h +++ b/include/uapi/media/msm_cam_sensor.h @@ -305,7 +305,7 @@ struct msm_eeprom_cfg_data { enum eeprom_cfg_type_t cfgtype; uint8_t is_supported; union { - char eeprom_name[MAX_SENSOR_NAME]; + char eeprom_name[MAX_EEPROM_NAME]; struct eeprom_get_t get_data; struct eeprom_read_t read_data; struct eeprom_write_t write_data; |