msm: ipc: Detect integer overflow before it happens

As per ANSI C Standard document, integer overflow is an undefined behavior. So update the code to detect integer overflow before it happens. CRs-Fixed: 491629 Change-Id: Ifd90c05266477c7734710bb94b9021f8bb9ab761 Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
2013-05-31 15:36:38 -06:00 · 2013-05-31 15:36:38 -06:00 · 33522c4cd6
parent e37b3f8856
commit 33522c4cd6
2 changed files with 18 additions and 8 deletions
--- a/arch/arm/mach-msm/ipc_socket.c
+++ b/arch/arm/mach-msm/ipc_socket.c
@ -55,6 +55,10 @@ do { \
 	} \
 } while (0) \

+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 static int sockets_enabled;
 static struct proto msm_ipc_proto;
 static const struct proto_ops msm_ipc_proto_ops;
@ -458,7 +462,8 @@ static int msm_ipc_router_ioctl(struct socket *sock,
 	struct msm_ipc_port *port_ptr;
 	struct server_lookup_args server_arg;
 	struct msm_ipc_server_info *srv_info = NULL;
-	unsigned int n, srv_info_sz = 0;
+	unsigned int n;
+	size_t srv_info_sz = 0;
 	int ret;

 	if (!sk)
@ -499,16 +504,16 @@ static int msm_ipc_router_ioctl(struct socket *sock,
 			break;
 		}
 		if (server_arg.num_entries_in_array) {
-			srv_info_sz = server_arg.num_entries_in_array *
-					sizeof(*srv_info);
-			if ((srv_info_sz / sizeof(*srv_info)) !=
-			    server_arg.num_entries_in_array) {
+			if (server_arg.num_entries_in_array >
+				(SIZE_MAX / sizeof(*srv_info))) {
 				pr_err("%s: Integer Overflow %d * %d\n",
 					__func__, sizeof(*srv_info),
 					server_arg.num_entries_in_array);
 				ret = -EINVAL;
 				break;
 			}
+			srv_info_sz = server_arg.num_entries_in_array *
+					sizeof(*srv_info);
 			srv_info = kmalloc(srv_info_sz, GFP_KERNEL);
 			if (!srv_info) {
 				ret = -ENOMEM;
--- a/arch/arm/mach-msm/msm_ipc_router_security.c
+++ b/arch/arm/mach-msm/msm_ipc_router_security.c
@ -32,6 +32,11 @@

 #define IRSC_COMPLETION_TIMEOUT_MS 30000
 #define SEC_RULES_HASH_SZ 32
+
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 struct security_rule {
 	struct list_head list;
 	uint32_t service_id;
@ -99,7 +104,7 @@ int msm_ipc_config_sec_rules(void *arg)
 	struct config_sec_rules_args sec_rules_arg;
 	struct security_rule *rule, *temp_rule;
 	int key;
-	int group_info_sz;
+	size_t group_info_sz;
 	int ret;

 	if (current_euid())
@ -113,12 +118,12 @@ int msm_ipc_config_sec_rules(void *arg)
 	if (sec_rules_arg.num_group_info <= 0)
 		return -EINVAL;

-	group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);
-	if ((group_info_sz / sizeof(gid_t)) != sec_rules_arg.num_group_info) {
+	if (sec_rules_arg.num_group_info > (SIZE_MAX / sizeof(gid_t))) {
 		pr_err("%s: Integer Overflow %d * %d\n", __func__,
 			sizeof(gid_t), sec_rules_arg.num_group_info);
 		return -EINVAL;
 	}
+	group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);

 	rule = kzalloc(sizeof(struct security_rule), GFP_KERNEL);
 	if (!rule) {