crypto: msm: restrict value of num_fds to QCEDEV_MAX_BUFFERS Set the max value of num_fds to QCEDEV_MAX_BUFFERS to prevent out of bound access of fd, fd_size, fd_offset array. Change-Id: I88889472a4bd14f786588bd2c9e06e69a98e94c9 Signed-off-by: Prerna Kalla <prernak@codeaurora.org>

commit: 2ffd3645086ca0dd20f426b3a6ab01022d0fc6c4 [log] [tgz]
author: Prerna Kalla <prernak@codeaurora.org> Mon Mar 30 17:31:07 2020 +0530
committer: Prerna Kalla <prernak@codeaurora.org> Wed Apr 15 00:23:54 2020 +0530
tree: 0b0968787eb4bee74dd3804cb815328d0eee4a2c
parent: e391b11825ac69da33c316b7f4dbb5def0fa5b12 [diff]
diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
index db1d3d8..a9ec5954 100644
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c

@@ -1,7 +1,7 @@
 /*
  * QTI CE device driver.
  *
- * Copyright (c) 2010-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2010-2020, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1918,6 +1918,11 @@
 				goto exit_free_qcedev_areq;
 			}
 
+			if (map_buf.num_fds > QCEDEV_MAX_BUFFERS) {
+				err = -EINVAL;
+				goto exit_free_qcedev_areq;
+			}
+
 			for (i = 0; i < map_buf.num_fds; i++) {
 				err = qcedev_check_and_map_buffer(handle,
 						map_buf.fd[i],
commit	2ffd3645086ca0dd20f426b3a6ab01022d0fc6c4	[log] [tgz]
author	Prerna Kalla <prernak@codeaurora.org>	Mon Mar 30 17:31:07 2020 +0530
committer	Prerna Kalla <prernak@codeaurora.org>	Wed Apr 15 00:23:54 2020 +0530
tree	0b0968787eb4bee74dd3804cb815328d0eee4a2c
parent	e391b11825ac69da33c316b7f4dbb5def0fa5b12 [diff]