msm: ipa: Fix to validate the buffer size

author Praveen Kurapati <pkurapat@codeaurora.org>

Thu, 17 Jan 2019 10:06:31 +0000 (15:36 +0530)

committer Gerrit - the friendly Code Review server <code-review@localhost>

Mon, 11 Feb 2019 10:54:58 +0000 (02:54 -0800)
author Praveen Kurapati <pkurapat@codeaurora.org>
Thu, 17 Jan 2019 10:06:31 +0000 (15:36 +0530)
committer Gerrit - the friendly Code Review server <code-review@localhost>
Mon, 11 Feb 2019 10:54:58 +0000 (02:54 -0800)
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c b/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c

index da56a2e..2056a74 100644 (file)
--- a/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
@@ -735,8 +735,14 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
                         IPADBG("msg=%pK\n", msg);
                         locked = 0;
                         mutex_unlock(&ipa_ctx->msg_lock);
+                       if (count < sizeof(struct ipa_msg_meta)) {
+                               kfree(msg);
+                               msg = NULL;
+                               ret = -EFAULT;
+                               break;
+                       }
                         if (copy_to_user(buf, &msg->meta,
-                                         sizeof(struct ipa_msg_meta))) {
+                                       sizeof(struct ipa_msg_meta))) {
                                 kfree(msg);
                                 msg = NULL;
                                 ret = -EFAULT;
@@ -745,8 +751,15 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
                         buf += sizeof(struct ipa_msg_meta);
                         count -= sizeof(struct ipa_msg_meta);
                         if (msg->buff) {
-                               if (copy_to_user(buf, msg->buff,
-                                                 msg->meta.msg_len)) {
+                               if (count >= msg->meta.msg_len) {
+                                       if (copy_to_user(buf, msg->buff,
+                                                       msg->meta.msg_len)) {
+                                               kfree(msg);
+                                               msg = NULL;
+                                               ret = -EFAULT;
+                                               break;
+                                       }
+                               } else {
                                         kfree(msg);
                                         msg = NULL;
                                         ret = -EFAULT;
author	Praveen Kurapati <pkurapat@codeaurora.org>
	Thu, 17 Jan 2019 10:06:31 +0000 (15:36 +0530)
committer	Gerrit - the friendly Code Review server <code-review@localhost>
	Mon, 11 Feb 2019 10:54:58 +0000 (02:54 -0800)