lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "rpmsg: slatecom: out of bound read from process_cmd" into kernel.lnx.5.4.r1-rel

Browse Source
This commit is contained in:
Linux Build Service Account 2024-03-11 03:51:15 -07:00 committed by Gerrit - the friendly Code Review server
commit 1130afed29
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
drivers/rpmsg/qcom_glink_slatecom.c
View File

@ -1900,7 +1900,7 @@ static void glink_slatecom_handle_rx_done(struct glink_slatecom *glink,
mutex_unlock(&channel->intent_lock);
}
static void glink_slatecom_process_cmd(struct glink_slatecom *glink, void *rx_data,
static int glink_slatecom_process_cmd(struct glink_slatecom *glink, void *rx_data,
u32 rx_size)
{
struct glink_slatecom_msg *msg;
@ -1909,12 +1909,18 @@ static void glink_slatecom_process_cmd(struct glink_slatecom *glink, void *rx_da
unsigned int param3;
unsigned int param4;
unsigned int cmd;
int offset = 0;
int ret;
u32 offset = 0;
int ret = 0;
u16 name_len;
char *name;
while (offset < rx_size) {
if (rx_size - offset < sizeof(struct glink_slatecom_msg)) {
ret = -EBADMSG;
GLINK_ERR(glink, "%s: Error %d process cmd\n", __func__, ret);
return ret;
}
msg = (struct glink_slatecom_msg *)(rx_data + offset);
offset += sizeof(*msg);
@ -1997,6 +2003,7 @@ static void glink_slatecom_process_cmd(struct glink_slatecom *glink, void *rx_da
break;
}
}
return ret;
}
/**