msm: ipa3: Fix to prevent Integer Overflow

The value of `req->filter_spec_ex2_list_len` is user input via ioctl and it's type is uint32, so an integer overflow may occur. Which can result in out of bound access in the following loop. Now add changes to prevent Integer overflow. Change-Id: Ia29b9ddc674e5dd3d5baf6623cf0a464c156d8f7 Signed-off-by: Piyush Dhyani <pdhyani@codeaurora.org>
4 years ago · 8fe01a5437
parent 7393aa45de
commit 8fe01a5437
1 changed files with 8 additions and 4 deletions
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c
@ -948,7 +948,10 @@ int ipa3_qmi_add_offload_request_send(
 	}

 	/* check if the filter rules from IPACM is valid */
-	if (req->filter_spec_ex2_list_len == 0) {
+	if (req->filter_spec_ex2_list_len < 0) {
+		IPAWANERR("IPACM pass invalid num of rules\n");
+		return -EINVAL;
+	} else if (req->filter_spec_ex2_list_len == 0) {
 		IPAWANDBG("IPACM pass zero rules to Q6\n");
 	} else {
 		IPAWANDBG("IPACM pass %u rules to Q6\n",
@ -956,9 +959,10 @@ int ipa3_qmi_add_offload_request_send(
 	}

 	/* currently set total max to 64 */
-	if (req->filter_spec_ex2_list_len +
-		ipa3_qmi_ctx->num_ipa_offload_connection
-		>= QMI_IPA_MAX_FILTERS_V01) {
+	if ((ipa3_qmi_ctx->num_ipa_offload_connection < 0) ||
+		(req->filter_spec_ex2_list_len >=
+		(QMI_IPA_MAX_FILTERS_V01 -
+			ipa3_qmi_ctx->num_ipa_offload_connection))) {
 		IPAWANDBG(
 		"cur(%d), req(%d), exceed limit (%d)\n",
 			ipa3_qmi_ctx->num_ipa_offload_connection,