diff options
| author | Jay Jayanna <jayanna@codeaurora.org> | 2019-06-11 14:51:02 -0700 |
|---|---|---|
| committer | Chris Lew <clew@codeaurora.org> | 2019-06-11 19:00:45 -0700 |
| commit | 7caeb5cb7c4f128a505396a588e303ab9ab9c15c (patch) | |
| tree | f8f84054e54c13905eb215103a863ca6b04e7bf3 | |
| parent | 06ceb6bb61d15d96906733a0a4e1ca5a53a9fe3e (diff) | |
soc: qcom: glink_spi_xprt: Sanitize input for short cmd
Check for data fragment size against the maximum size that can be read
from the source.
Change-Id: I779a9055599cebbeb8f0f9ffb8d62be7e5c53deb
Signed-off-by: Jay Jayanna <jayanna@codeaurora.org>
| -rw-r--r-- | drivers/soc/qcom/glink_spi_xprt.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/drivers/soc/qcom/glink_spi_xprt.c b/drivers/soc/qcom/glink_spi_xprt.c index ade731cf3251..818051e6e9cb 100644 --- a/drivers/soc/qcom/glink_spi_xprt.c +++ b/drivers/soc/qcom/glink_spi_xprt.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2016-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -641,10 +641,13 @@ static int glink_spi_xprt_tx_cmd(struct edge_info *einfo, void *src, * is read. * @frag_size: Size of the data fragment to read. * @size_remaining: Size of data left to be read in this packet. + * @rx_size: Max size of data that can be read in this packet + * from source. */ static void process_rx_data(struct edge_info *einfo, uint16_t cmd_id, uint32_t rcid, uint32_t intent_id, void *src, - uint32_t frag_size, uint32_t size_remaining) + uint32_t frag_size, uint32_t size_remaining, + int rx_size) { struct glink_core_rx_intent *intent; int rc = 0; @@ -667,8 +670,14 @@ static void process_rx_data(struct edge_info *einfo, uint16_t cmd_id, return; } - if (cmd_id == TX_SHORT_DATA_CMD) + if (cmd_id == TX_SHORT_DATA_CMD) { + if (frag_size > rx_size) { + GLINK_ERR("%s: frag size:%d greater than rx size %d\n", + __func__, frag_size, rx_size); + return; + } memcpy(intent->data + intent->write_offset, src, frag_size); + } else rc = glink_spi_xprt_rx_data(einfo, src, intent->data + intent->write_offset, frag_size); @@ -838,7 +847,8 @@ static void process_rx_cmd(struct edge_info *einfo, process_rx_data(einfo, cmd->id, cmd->param1, cmd->param2, (void *)(uintptr_t)(rx_descp->addr), - rx_descp->size, rx_descp->size_left); + rx_descp->size, rx_descp->size_left, + rx_size); break; case TX_SHORT_DATA_CMD: @@ -849,7 +859,7 @@ static void process_rx_cmd(struct edge_info *einfo, offset += sizeof(*rx_sd_descp); process_rx_data(einfo, cmd->id, cmd->param1, cmd->param2, (void *)rx_sd_descp->data, - cmd->param3, cmd->param4); + cmd->param3, cmd->param4, rx_size); break; case READ_NOTIF_CMD: |