From 25865f691b22d9b013cce032c06d3c0ed2485495 Mon Sep 17 00:00:00 2001 From: Abir Ghosh Date: Fri, 12 May 2017 09:16:34 +0530 Subject: [PATCH] qbt1000: Fix for incorrect buffer size check and integer overflow Fix an incorrect buffer size check which might have caused integer overflow. CRs-Fixed: 2045285 Change-Id: I3b5b996c7405f51b488d6cbda31c81a9a9905f23 Signed-off-by: Abir Ghosh --- drivers/soc/qcom/qbt1000.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c index 6e7d34ac9163..d14e82415c5a 100644 --- a/drivers/soc/qcom/qbt1000.c +++ b/drivers/soc/qcom/qbt1000.c @@ -145,18 +145,17 @@ static int get_cmd_rsp_buffers(struct qseecom_handle *hdl, uint32_t *rsp_len) { /* 64 bytes alignment for QSEECOM */ - *cmd_len = ALIGN(*cmd_len, 64); - *rsp_len = ALIGN(*rsp_len, 64); + uint64_t aligned_cmd_len = ALIGN((uint64_t)*cmd_len, 64); + uint64_t aligned_rsp_len = ALIGN((uint64_t)*rsp_len, 64); - if (((uint64_t)*rsp_len + (uint64_t)*cmd_len) - > (uint64_t)g_app_buf_size) { - pr_err("buffer too small to hold cmd=%d and rsp=%d\n", - *cmd_len, *rsp_len); + if ((aligned_rsp_len + aligned_cmd_len) > (uint64_t)g_app_buf_size) return -ENOMEM; - } *cmd = hdl->sbuf; + *cmd_len = aligned_cmd_len; *rsp = hdl->sbuf + *cmd_len; + *rsp_len = aligned_rsp_len; + return 0; } -- 2.11.0