platform: msm_shared: fix possible overflow of rand_buf in scm_random
Check the sizeof rand_buf against random number requested, in random
number generated.
Change-Id: Ia34636ddf3f141a322dea1a60750ad19e15b992b
diff --git a/platform/msm_shared/scm.c b/platform/msm_shared/scm.c
index b544201..a0c3958 100644
--- a/platform/msm_shared/scm.c
+++ b/platform/msm_shared/scm.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -1094,6 +1094,13 @@
// Memory passed to TZ should be algined to cache line
BUF_DMA_ALIGN(rand_buf, sizeof(uintptr_t));
+ // r_len must be less than or equal to sizeof(rand_buf) to avoid memory corruption.
+ if (r_len > sizeof(rand_buf))
+ {
+ dprintf(CRITICAL, "r_len is larger than sizeof(randbuf).");
+ return -1;
+ }
+
if (!is_scm_armv8_support())
{
data.out_buf = (uint8_t*) rand_buf;