msm: sde: check buffer size before writing to user buffer

author Harsh Sahu <hsahu@codeaurora.org>

Fri, 23 Mar 2018 07:29:30 +0000 (00:29 -0700)

committer Gerrit - the friendly Code Review server <code-review@localhost>

Tue, 3 Apr 2018 07:05:53 +0000 (00:05 -0700)
author Harsh Sahu <hsahu@codeaurora.org>
Fri, 23 Mar 2018 07:29:30 +0000 (00:29 -0700)
committer Gerrit - the friendly Code Review server <code-review@localhost>
Tue, 3 Apr 2018 07:05:53 +0000 (00:05 -0700)
diff --git a/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c b/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c

index 1966fa9..a238155 100644 (file)
--- a/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c
+++ b/drivers/media/platform/msm/sde/rotator/sde_rotator_debug.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2015-2018, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
@@ -482,6 +482,11 @@ static ssize_t sde_rot_evtlog_dump_read(struct file *file, char __user *buff,
         if (__sde_rot_evtlog_dump_calc_range()) {
                 len = sde_rot_evtlog_dump_entry(evtlog_buf,
                                 SDE_ROT_EVTLOG_BUF_MAX);
+               if (len < 0 || len > count) {
+                       pr_err("len is more than the user buffer size\n");
+                       return 0;
+               }
+
                 if (copy_to_user(buff, evtlog_buf, len))
                         return -EFAULT;
                 *ppos += len;
author	Harsh Sahu <hsahu@codeaurora.org>
	Fri, 23 Mar 2018 07:29:30 +0000 (00:29 -0700)
committer	Gerrit - the friendly Code Review server <code-review@localhost>
	Tue, 3 Apr 2018 07:05:53 +0000 (00:05 -0700)