crypto: msm: restrict value of num_fds to QCEDEV_MAX_BUFFERS
Set the max value of num_fds to QCEDEV_MAX_BUFFERS to prevent
out of bound access of fd, fd_size, fd_offset array.
Change-Id: I88889472a4bd14f786588bd2c9e06e69a98e94c9
Signed-off-by: Prerna Kalla <prernak@codeaurora.org>
diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
index db1d3d8..a9ec5954 100644
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c
@@ -1,7 +1,7 @@
/*
* QTI CE device driver.
*
- * Copyright (c) 2010-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2010-2020, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1918,6 +1918,11 @@
goto exit_free_qcedev_areq;
}
+ if (map_buf.num_fds > QCEDEV_MAX_BUFFERS) {
+ err = -EINVAL;
+ goto exit_free_qcedev_areq;
+ }
+
for (i = 0; i < map_buf.num_fds; i++) {
err = qcedev_check_and_map_buffer(handle,
map_buf.fd[i],