summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZhen Kong <zkong@codeaurora.org>2019-07-29 16:53:14 -0700
committerZhen Kong <zkong@codeaurora.org>2019-09-13 10:31:46 -0700
commitb5c5ac439d135772f962f741285ef19e4006e4b1 (patch)
treef92de72afb14a40ccf6faa518e8bc7fb548e3985
parent22dc337a69af6c8b2aceecb3cbaef9049ef4fb73 (diff)
qseecom: correct range check in __qseecom_update_qteec_req_buf
Make change to validate if there exists enough space to write a struct qseecom_param_memref instead of a unit32 value, in the request buffer in __qseecom_update_qteec_req_buf. Change-Id: I4e092f7aa2b23648c2cedfada311828b9ceb35dc Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Diffstat
-rw-r--r--drivers/misc/qseecom.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index e85b2b8972c9..f44ba39f3d21 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -1,6 +1,6 @@
/*Qualcomm Secure Execution Environment Communicator (QSEECOM) driver
*
- * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -6422,9 +6422,11 @@ static int __qseecom_update_qteec_req_buf(struct qseecom_qteec_modfd_req *req,
pr_err("Ion client can't retrieve the handle\n");
return -ENOMEM;
}
- if ((req->req_len < sizeof(uint32_t)) ||
+ if ((req->req_len <
+ sizeof(struct qseecom_param_memref)) ||
(req->ifd_data[i].cmd_buf_offset >
- req->req_len - sizeof(uint32_t))) {
+ req->req_len -
+ sizeof(struct qseecom_param_memref))) {
pr_err("Invalid offset/req len 0x%x/0x%x\n",
req->req_len,
req->ifd_data[i].cmd_buf_offset);
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-06 05:58:44 +0000