commit 197e6c34a5f0cbcc70decd8c7f8b2889c38a02fe
author Hamad Kadmany <hkadmany@codeaurora.org> Sun Nov 17 11:31:01 2013 +0200
committer Gerrit - the friendly Code Review server <code-review@localhost> Sun Nov 17 01:57:37 2013 -0800
tree 773ec4f365fbb446c98b58ac7ff2a88f4ea0cbe4
parent 59531340c88e1ca79e320e2ee113dbc071d312c7

tspp: Protect against buffer overflow

Change filter->priority to unsigned int. Since it was defined as integer,
it may have had negative value and cause accessing an array outside
of its region

CRs-Fixed: 561802, 561825
Change-Id: Ie72aa09b07e79b0b67081b74e3b2057de30f03d0
Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>

drivers/misc/tspp.c

diff --git a/drivers/misc/tspp.c b/drivers/misc/tspp.c
index 1135c37..f6aa9cc 100644
--- a/drivers/misc/tspp.c
+++ b/drivers/misc/tspp.c
@@ -1755,7 +1755,7 @@
 	}
 
 	if (filter->priority >= TSPP_NUM_PRIORITIES) {
-		pr_err("tspp invalid source");
+		pr_err("tspp invalid filter priority");
 		return -ENOSR;
 	}
 
@@ -1884,6 +1884,10 @@
 		pr_err("tspp_remove: can't find device %i", dev);
 		return -ENODEV;
 	}
+	if (filter->priority >= TSPP_NUM_PRIORITIES) {
+		pr_err("tspp invalid filter priority");
+		return -ENOSR;
+	}
 	channel = &pdev->channels[channel_id];
 
 	src = channel->src;

include/linux/tspp.h

diff --git a/include/linux/tspp.h b/include/linux/tspp.h
index c790c28..ddddbfb 100644
--- a/include/linux/tspp.h
+++ b/include/linux/tspp.h
@@ -34,7 +34,7 @@
 	int pid;
 	int mask;
 	enum tspp_mode mode;
-	int priority;	/* 0 - 15 */
+	unsigned int priority;	/* 0 - 15 */
 	int decrypt;
 	enum tspp_source source;
 };