malhuda/msm-4.14
1
0
Fork 0
mirror of https://github.com/rd-stuffs/msm-4.14.git synced 2025-02-20 11:45:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

qbt1000: Fix for incorrect buffer size check and integer overflow

Browse Source 
Fix an incorrect buffer size check which might have caused integer
overflow.

CRs-Fixed: 2045285
Change-Id: I3b5b996c7405f51b488d6cbda31c81a9a9905f23
Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
Signed-off-by: Kota Priyanka <kotap@codeaurora.org>
This commit is contained in:
Abir Ghosh 2017-05-12 09:16:34 +05:30 committed by Gerrit - the friendly Code Review server
parent f05c122197
commit 0e8b39234e
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
drivers/soc/qcom/qbt1000.c
View File

@ -150,18 +150,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl,
uint32_t *rsp_len)
{
/* 64 bytes alignment for QSEECOM */
*cmd_len = ALIGN(*cmd_len, 64);
*rsp_len = ALIGN(*rsp_len, 64);
uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64);
uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64);
if (((uint64_t)*rsp_len + (uint64_t)*cmd_len)
> (uint64_t)g_app_buf_size) {
pr_err("buffer too small to hold cmd=%d and rsp=%d\n",
*cmd_len, *rsp_len);
if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size)
return -ENOMEM;
}
*cmd = hdl->sbuf;
*cmd_len = aligned_cmd_len;
*rsp = hdl->sbuf + *cmd_len;
*rsp_len = aligned_rsp_len;
return 0;
}