msm: ipc: Detect integer overflow before it happens
As per ANSI C Standard document, integer overflow is an undefined behavior. So update the code to detect integer overflow before it happens. CRs-Fixed: 491629 Change-Id: Ifd90c05266477c7734710bb94b9021f8bb9ab761 Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
This commit is contained in:
parent
e37b3f8856
commit
33522c4cd6
|
@ -55,6 +55,10 @@ do { \
|
|||
} \
|
||||
} while (0) \
|
||||
|
||||
#ifndef SIZE_MAX
|
||||
#define SIZE_MAX ((size_t)-1)
|
||||
#endif
|
||||
|
||||
static int sockets_enabled;
|
||||
static struct proto msm_ipc_proto;
|
||||
static const struct proto_ops msm_ipc_proto_ops;
|
||||
|
@ -458,7 +462,8 @@ static int msm_ipc_router_ioctl(struct socket *sock,
|
|||
struct msm_ipc_port *port_ptr;
|
||||
struct server_lookup_args server_arg;
|
||||
struct msm_ipc_server_info *srv_info = NULL;
|
||||
unsigned int n, srv_info_sz = 0;
|
||||
unsigned int n;
|
||||
size_t srv_info_sz = 0;
|
||||
int ret;
|
||||
|
||||
if (!sk)
|
||||
|
@ -499,16 +504,16 @@ static int msm_ipc_router_ioctl(struct socket *sock,
|
|||
break;
|
||||
}
|
||||
if (server_arg.num_entries_in_array) {
|
||||
srv_info_sz = server_arg.num_entries_in_array *
|
||||
sizeof(*srv_info);
|
||||
if ((srv_info_sz / sizeof(*srv_info)) !=
|
||||
server_arg.num_entries_in_array) {
|
||||
if (server_arg.num_entries_in_array >
|
||||
(SIZE_MAX / sizeof(*srv_info))) {
|
||||
pr_err("%s: Integer Overflow %d * %d\n",
|
||||
__func__, sizeof(*srv_info),
|
||||
server_arg.num_entries_in_array);
|
||||
ret = -EINVAL;
|
||||
break;
|
||||
}
|
||||
srv_info_sz = server_arg.num_entries_in_array *
|
||||
sizeof(*srv_info);
|
||||
srv_info = kmalloc(srv_info_sz, GFP_KERNEL);
|
||||
if (!srv_info) {
|
||||
ret = -ENOMEM;
|
||||
|
|
|
@ -32,6 +32,11 @@
|
|||
|
||||
#define IRSC_COMPLETION_TIMEOUT_MS 30000
|
||||
#define SEC_RULES_HASH_SZ 32
|
||||
|
||||
#ifndef SIZE_MAX
|
||||
#define SIZE_MAX ((size_t)-1)
|
||||
#endif
|
||||
|
||||
struct security_rule {
|
||||
struct list_head list;
|
||||
uint32_t service_id;
|
||||
|
@ -99,7 +104,7 @@ int msm_ipc_config_sec_rules(void *arg)
|
|||
struct config_sec_rules_args sec_rules_arg;
|
||||
struct security_rule *rule, *temp_rule;
|
||||
int key;
|
||||
int group_info_sz;
|
||||
size_t group_info_sz;
|
||||
int ret;
|
||||
|
||||
if (current_euid())
|
||||
|
@ -113,12 +118,12 @@ int msm_ipc_config_sec_rules(void *arg)
|
|||
if (sec_rules_arg.num_group_info <= 0)
|
||||
return -EINVAL;
|
||||
|
||||
group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);
|
||||
if ((group_info_sz / sizeof(gid_t)) != sec_rules_arg.num_group_info) {
|
||||
if (sec_rules_arg.num_group_info > (SIZE_MAX / sizeof(gid_t))) {
|
||||
pr_err("%s: Integer Overflow %d * %d\n", __func__,
|
||||
sizeof(gid_t), sec_rules_arg.num_group_info);
|
||||
return -EINVAL;
|
||||
}
|
||||
group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);
|
||||
|
||||
rule = kzalloc(sizeof(struct security_rule), GFP_KERNEL);
|
||||
if (!rule) {
|
||||
|
|
Loading…
Reference in New Issue