From 8fe01a5437af62114e81723e38abdf4783dae326 Mon Sep 17 00:00:00 2001
From: Piyush Dhyani <pdhyani@codeaurora.org>
Date: Tue, 29 Jun 2021 02:27:54 +0530
Subject: [PATCH] msm: ipa3: Fix to prevent Integer Overflow

The value of `req->filter_spec_ex2_list_len`
is user input via ioctl and it's type is uint32,
so an integer overflow may occur. Which can result
in out of bound access in the following loop. Now
add changes to prevent Integer overflow.

Change-Id: Ia29b9ddc674e5dd3d5baf6623cf0a464c156d8f7
Signed-off-by: Piyush Dhyani <pdhyani@codeaurora.org>
---
 drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c b/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c
index c10b1e603e61..c9194d1cf1d7 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c
@@ -948,7 +948,10 @@ int ipa3_qmi_add_offload_request_send(
 	}
 
 	/* check if the filter rules from IPACM is valid */
-	if (req->filter_spec_ex2_list_len == 0) {
+	if (req->filter_spec_ex2_list_len < 0) {
+		IPAWANERR("IPACM pass invalid num of rules\n");
+		return -EINVAL;
+	} else if (req->filter_spec_ex2_list_len == 0) {
 		IPAWANDBG("IPACM pass zero rules to Q6\n");
 	} else {
 		IPAWANDBG("IPACM pass %u rules to Q6\n",
@@ -956,9 +959,10 @@ int ipa3_qmi_add_offload_request_send(
 	}
 
 	/* currently set total max to 64 */
-	if (req->filter_spec_ex2_list_len +
-		ipa3_qmi_ctx->num_ipa_offload_connection
-		>= QMI_IPA_MAX_FILTERS_V01) {
+	if ((ipa3_qmi_ctx->num_ipa_offload_connection < 0) ||
+		(req->filter_spec_ex2_list_len >=
+		(QMI_IPA_MAX_FILTERS_V01 -
+			ipa3_qmi_ctx->num_ipa_offload_connection))) {
 		IPAWANDBG(
 		"cur(%d), req(%d), exceed limit (%d)\n",
 			ipa3_qmi_ctx->num_ipa_offload_connection,