Bluetooth - Fix for checking proper user-supplied buffers

During patch download of devices, size validations & zero alloc the buffers to ensure values passed are in range CRs-fixed: 2084692 Change-Id: Ie1cd76fe68766d6d12d7262202e48c18ebe42274 Signed-off-by: Balvinder Singh <bpsingh@codeaurora.org>
author: Balvinder Singh <bpsingh@codeaurora.org> 2017-11-06 11:50:46 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-11-24 05:59:19 -0800
commit: 5c5e40bb3854ccf65f9cce438ba27eb46d1f0469 (patch)
tree: 2b5562bfe11a15ee81f70fa298ffa40ebe3db2d3 /drivers/bluetooth/ath3k.c
parent: af5f70355c26dced06be3b8b34f0f10b81a44f40 (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 5df8e1234505..071c94457d34 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -209,13 +209,27 @@ static int ath3k_load_firmware(struct usb_device *udev,
 {
 	u8 *send_buf;
 	int err, pipe, len, size, sent = 0;
-	int count = firmware->size;
+	int count;
 
 	BT_DBG("udev %p", udev);
 
+	if (!firmware || !firmware->data || firmware->size <= 0) {
+		err = -EINVAL;
+		BT_ERR("Not a valid FW file");
+		return err;
+	}
+
+	count = firmware->size;
+
+	if (count < FW_HDR_SIZE) {
+		err = -EINVAL;
+		BT_ERR("ath3k loading invalid size of file");
+		return err;
+	}
+
 	pipe = usb_sndctrlpipe(udev, 0);
 
-	send_buf = kmalloc(BULK_SIZE, GFP_KERNEL);
+	send_buf = kzalloc(BULK_SIZE, GFP_KERNEL);
 	if (!send_buf) {
 		BT_ERR("Can't allocate memory chunk for firmware");
 		return -ENOMEM;
author	Balvinder Singh <bpsingh@codeaurora.org>	2017-11-06 11:50:46 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-11-24 05:59:19 -0800
commit	5c5e40bb3854ccf65f9cce438ba27eb46d1f0469 (patch)
tree	2b5562bfe11a15ee81f70fa298ffa40ebe3db2d3 /drivers/bluetooth/ath3k.c
parent	af5f70355c26dced06be3b8b34f0f10b81a44f40 (diff)