diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2016-12-30 06:27:36 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-12-30 06:27:36 -0800 |
| commit | ba7a68eca26f066a79102aa2ebacc2c6e9657bd0 (patch) | |
| tree | 6a5c0579a1f8dd40a9f719d62c3ed54ef4ba607e | |
| parent | 8f4fb8ae38207ac0e5be8a2d88d045674f1dd248 (diff) | |
| parent | 82c26829a0edda8c38381a7da96b9ea2adc3f2a8 (diff) | |
Merge "msm: ipa: fix the potential heap overflow on wan-driver"
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 19 | ||||
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 17 |
2 files changed, 35 insertions, 1 deletions
diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c index c2e43a62ab69..b1f27ceb492b 100644 --- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c @@ -2573,7 +2573,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data) * * Return codes: * 0: Success - * -EFAULT: Invalid interface name provided + * -EFAULT: Invalid src/dst pipes provided * other: See ipa_qmi_set_data_quota */ int rmnet_ipa_set_tether_client_pipe( @@ -2581,6 +2581,23 @@ int rmnet_ipa_set_tether_client_pipe( { int number, i; + /* error checking if ul_src_pipe_len valid or not*/ + if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 || + data->ul_src_pipe_len < 0) { + IPAWANERR("UL src pipes %d exceeding max %d\n", + data->ul_src_pipe_len, + QMI_IPA_MAX_PIPES_V01); + return -EFAULT; + } + /* error checking if dl_dst_pipe_len valid or not*/ + if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 || + data->dl_dst_pipe_len < 0) { + IPAWANERR("DL dst pipes %d exceeding max %d\n", + data->dl_dst_pipe_len, + QMI_IPA_MAX_PIPES_V01); + return -EFAULT; + } + IPAWANDBG("client %d, UL %d, DL %d, reset %d\n", data->ipa_client, data->ul_src_pipe_len, diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c index ff197705d845..f042d19f196a 100644 --- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c @@ -2736,6 +2736,23 @@ int rmnet_ipa3_set_tether_client_pipe( { int number, i; + /* error checking if ul_src_pipe_len valid or not*/ + if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 || + data->ul_src_pipe_len < 0) { + IPAWANERR("UL src pipes %d exceeding max %d\n", + data->ul_src_pipe_len, + QMI_IPA_MAX_PIPES_V01); + return -EFAULT; + } + /* error checking if dl_dst_pipe_len valid or not*/ + if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 || + data->dl_dst_pipe_len < 0) { + IPAWANERR("DL dst pipes %d exceeding max %d\n", + data->dl_dst_pipe_len, + QMI_IPA_MAX_PIPES_V01); + return -EFAULT; + } + IPAWANDBG("client %d, UL %d, DL %d, reset %d\n", data->ipa_client, data->ul_src_pipe_len, |