diff options
| author | Mohammed Javid <mjavid@codeaurora.org> | 2018-10-08 20:04:48 +0530 |
|---|---|---|
| committer | Mohammed Javid <mjavid@codeaurora.org> | 2018-10-09 19:44:56 +0530 |
| commit | e1d1b7cce40b8a40bfed9f83e5c29679f6eba378 (patch) | |
| tree | d97a517e7fd2ad2ada37cd85c816311cb0b96edc /drivers/platform/msm | |
| parent | 3b8fc0b7a3fcc809378d82dbf66b417e186af205 (diff) | |
msm: ipa3: Fix to validate the user inputs
Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.
Change-Id: I21147f20a12243af5d21aebdc206703964db2be4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Diffstat (limited to 'drivers/platform/msm')
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v2/ipa_nat.c | 14 | ||||
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v3/ipa_nat.c | 14 |
2 files changed, 28 insertions, 0 deletions
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c index 7cddbf850540..a7cdf691ec68 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_nat.c @@ -35,6 +35,13 @@ enum nat_table_type { #define NAT_TABLE_ENTRY_SIZE_BYTE 32 #define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4 +/* + * Max NAT table entries is limited 1000 entries. + * Limit the memory size required by user to prevent kernel memory starvation + */ +#define IPA_TABLE_MAX_ENTRIES 1000 +#define MAX_ALLOC_NAT_SIZE (IPA_TABLE_MAX_ENTRIES * NAT_TABLE_ENTRY_SIZE_BYTE) + static int ipa_nat_vma_fault_remap( struct vm_area_struct *vma, struct vm_fault *vmf) { @@ -270,6 +277,13 @@ int ipa2_allocate_nat_device(struct ipa_ioc_nat_alloc_mem *mem) goto bail; } + if (mem->size > MAX_ALLOC_NAT_SIZE) { + IPAERR("Trying allocate more size = %zu, Max allowed = %d\n", + mem->size, MAX_ALLOC_NAT_SIZE); + result = -EPERM; + goto bail; + } + if (mem->size <= 0 || nat_ctx->is_dev_init == true) { IPAERR_RL("Invalid Parameters or device is already init\n"); diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c index 17e4cae311ce..0b52acdeafc1 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c @@ -34,6 +34,13 @@ enum nat_table_type { #define NAT_TABLE_ENTRY_SIZE_BYTE 32 #define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4 +/* + * Max NAT table entries is limited 1000 entries. + * Limit the memory size required by user to prevent kernel memory starvation + */ +#define IPA_TABLE_MAX_ENTRIES 1000 +#define MAX_ALLOC_NAT_SIZE (IPA_TABLE_MAX_ENTRIES * NAT_TABLE_ENTRY_SIZE_BYTE) + static int ipa3_nat_vma_fault_remap( struct vm_area_struct *vma, struct vm_fault *vmf) { @@ -272,6 +279,13 @@ int ipa3_allocate_nat_device(struct ipa_ioc_nat_alloc_mem *mem) goto bail; } + if (mem->size > MAX_ALLOC_NAT_SIZE) { + IPAERR("Trying allocate more size = %zu, Max allowed = %d\n", + mem->size, MAX_ALLOC_NAT_SIZE); + result = -EPERM; + goto bail; + } + if (mem->size <= 0 || nat_ctx->is_dev_init == true) { IPAERR_RL("Invalid Parameters or device is already init\n"); |