qbt1000: Fix for incorrect buffer size check and integer overflow

author Abir Ghosh <abirg@codeaurora.org>

Fri, 12 May 2017 03:46:34 +0000 (09:16 +0530)

committer Gerrit - the friendly Code Review server <code-review@localhost>

Tue, 30 May 2017 06:57:06 +0000 (23:57 -0700)
author Abir Ghosh <abirg@codeaurora.org>
Fri, 12 May 2017 03:46:34 +0000 (09:16 +0530)
committer Gerrit - the friendly Code Review server <code-review@localhost>
Tue, 30 May 2017 06:57:06 +0000 (23:57 -0700)
diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c

index 6e7d34a..d14e824 100644 (file)
--- a/drivers/soc/qcom/qbt1000.c
+++ b/drivers/soc/qcom/qbt1000.c
@@ -145,18 +145,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl,
         uint32_t *rsp_len)
  {
         /* 64 bytes alignment for QSEECOM */
-       *cmd_len = ALIGN(*cmd_len, 64);
-       *rsp_len = ALIGN(*rsp_len, 64);
+       uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64);
+       uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64);
  
-       if (((uint64_t)*rsp_len + (uint64_t)*cmd_len)
-                       > (uint64_t)g_app_buf_size) {
-               pr_err("buffer too small to hold cmd=%d and rsp=%d\n",
-                       *cmd_len, *rsp_len);
+       if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size)
                 return -ENOMEM;
-       }
  
         *cmd = hdl->sbuf;
+       *cmd_len = aligned_cmd_len;
         *rsp = hdl->sbuf + *cmd_len;
+       *rsp_len = aligned_rsp_len;
+
         return 0;
  }
author	Abir Ghosh <abirg@codeaurora.org>
	Fri, 12 May 2017 03:46:34 +0000 (09:16 +0530)
committer	Gerrit - the friendly Code Review server <code-review@localhost>
	Tue, 30 May 2017 06:57:06 +0000 (23:57 -0700)