qseecom: correct range check in __qseecom_update_qteec_req_buf

Make change to validate if there exists enough space to write a
struct qseecom_param_memref instead of a unit32 value, in the
request buffer in __qseecom_update_qteec_req_buf.

Change-Id: I4e092f7aa2b23648c2cedfada311828b9ceb35dc
Signed-off-by: Zhen Kong <zkong@codeaurora.org>

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index e85b2b8..f44ba39 100644 (file)
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -1,6 +1,6 @@
 /*Qualcomm Secure Execution Environment Communicator (QSEECOM) driver
  *
- * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -6422,9 +6422,11 @@ static int __qseecom_update_qteec_req_buf(struct qseecom_qteec_modfd_req *req,
                                pr_err("Ion client can't retrieve the handle\n");
                                return -ENOMEM;
                        }
-                       if ((req->req_len < sizeof(uint32_t)) ||
+                       if ((req->req_len <
+                               sizeof(struct qseecom_param_memref)) ||
                                (req->ifd_data[i].cmd_buf_offset >
-                               req->req_len - sizeof(uint32_t))) {
+                               req->req_len -
+                               sizeof(struct qseecom_param_memref))) {
                                pr_err("Invalid offset/req len 0x%x/0x%x\n",
                                        req->req_len,
                                        req->ifd_data[i].cmd_buf_offset);