[PATCH v2 2/2] firmware: arm_scpi: check the payload length in scpi_send_message
Martin Blumenstingl
martin.blumenstingl at googlemail.com
Thu Nov 24 16:54:32 PST 2016
This adds a sanity check to ensure we're not writing data beyond the
end of our rx_buf and tx_buf. Currently we are still far from reaching
this limit, so this is a non-critical fix.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl at googlemail.com>
---
drivers/firmware/arm_scpi.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
index 8c183d8..78ea8c7 100644
--- a/drivers/firmware/arm_scpi.c
+++ b/drivers/firmware/arm_scpi.c
@@ -538,6 +538,11 @@ static int scpi_send_message(u8 idx, void *tx_buf, unsigned int tx_len,
scpi_info->num_chans;
scpi_chan = scpi_info->channels + chan;
+ if (tx_len > scpi_chan->max_payload_len)
+ return -EINVAL;
+ if (rx_len > scpi_chan->max_payload_len)
+ return -EINVAL;
+
msg = get_scpi_xfer(scpi_chan);
if (!msg)
return -ENOMEM;
--
2.10.2
More information about the linux-arm-kernel
mailing list