msm: ipa: fix the potential heap overflow on wan-driver

Add the check on rmnet_ipa3_set_tether_client_pipe API to make sure not accessing move than QMI_IPA_MAX_PIPES_V01 entries when user-space module compromised. Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962 Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
author: Skylar Chang <chiaweic@codeaurora.org> 2016-11-30 14:41:24 -0800
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-11-30 15:12:26 -0800
commit: 82c26829a0edda8c38381a7da96b9ea2adc3f2a8 (patch)
tree: 09a6ee28242cc6f1a6d44290edbde28b013015d5 /drivers/platform
parent: 0380dc86d2a75a4ae7d4246a94a5d767b0b75de4 (diff)
2 files changed, 35 insertions, 1 deletions
diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
index c2e43a62ab69..b1f27ceb492b 100644
--- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
@@ -2573,7 +2573,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
  *
  * Return codes:
  * 0: Success
- * -EFAULT: Invalid interface name provided
+ * -EFAULT: Invalid src/dst pipes provided
  * other: See ipa_qmi_set_data_quota
  */
 int rmnet_ipa_set_tether_client_pipe(
@@ -2581,6 +2581,23 @@ int rmnet_ipa_set_tether_client_pipe(
 {
 	int number, i;
 
+	/* error checking if ul_src_pipe_len valid or not*/
+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->ul_src_pipe_len < 0) {
+		IPAWANERR("UL src pipes %d exceeding max %d\n",
+			data->ul_src_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+	/* error checking if dl_dst_pipe_len valid or not*/
+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->dl_dst_pipe_len < 0) {
+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
+			data->dl_dst_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+
 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
 	data->ipa_client,
 	data->ul_src_pipe_len,
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
index 0419249890e9..c7c29703b824 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
@@ -2656,6 +2656,23 @@ int rmnet_ipa3_set_tether_client_pipe(
 {
 	int number, i;
 
+	/* error checking if ul_src_pipe_len valid or not*/
+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->ul_src_pipe_len < 0) {
+		IPAWANERR("UL src pipes %d exceeding max %d\n",
+			data->ul_src_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+	/* error checking if dl_dst_pipe_len valid or not*/
+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->dl_dst_pipe_len < 0) {
+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
+			data->dl_dst_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+
 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
 	data->ipa_client,
 	data->ul_src_pipe_len,
author	Skylar Chang <chiaweic@codeaurora.org>	2016-11-30 14:41:24 -0800
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-11-30 15:12:26 -0800
commit	82c26829a0edda8c38381a7da96b9ea2adc3f2a8 (patch)
tree	09a6ee28242cc6f1a6d44290edbde28b013015d5 /drivers/platform
parent	0380dc86d2a75a4ae7d4246a94a5d767b0b75de4 (diff)