qseecom: Validate the incoming length from user space Check if there is no integer overflow before using req_len and resp_len (received from user space). If an overflow is detected then exit the operation. Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>

commit: 9f3ffb3b15c9bb4eeca75c83b29bc3de05d197d7 [log] [tgz]
author: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org> Thu Oct 03 16:43:39 2013 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Mon Nov 18 17:32:17 2013 -0800
tree: dfe63748dd7f8198d22c0fff09a7d1944c989732
parent: c3598ea743d229de6ed1fdd153843aadd66d047c [diff] [blame]
diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index ac67c9d..d1fc8e4 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c

@@ -1014,6 +1014,11 @@
 		return -EINVAL;
 	}
 
+	if (req->cmd_req_len > UINT_MAX - req->resp_len) {
+		pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
+		return -EINVAL;
+	}
+
 	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
 	if (reqd_len_sb_in > data->client.sb_length) {
 		pr_debug("Not enough memory to fit cmd_buf and "
commit	9f3ffb3b15c9bb4eeca75c83b29bc3de05d197d7	[log] [tgz]
author	Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>	Thu Oct 03 16:43:39 2013 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Mon Nov 18 17:32:17 2013 -0800
tree	dfe63748dd7f8198d22c0fff09a7d1944c989732
parent	c3598ea743d229de6ed1fdd153843aadd66d047c [diff] [blame]