commit 345c814e35c5ab59195a2251bffb80aebb40d6cf
author Skylar Chang <chiaweic@codeaurora.org> Wed Nov 30 14:41:24 2016 -0800
committer Gerrit - the friendly Code Review server <code-review@localhost> Mon Mar 20 11:14:29 2017 -0700
tree 647165bf0aa489919698dde8be63968e330d5192
parent 1d8f547710cda5e8ec34059bdefbc1fdca756659

msm: ipa: fix the potential heap overflow on wan-driver

Add a check on rmnet_ipa3_set_tether_client_pipe API
to make sure not accessing more than QMI_IPA_MAX_PIPES_V01
entries when user-space module tries to set pipe index
more than QMI_IPA_MAX_PIPES_V01.

Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>

drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c

diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
index 3e1a8fb..9a400d9 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
@@ -2681,6 +2681,23 @@
 {
 	int number, i;
 
+	/* error checking if ul_src_pipe_len valid or not*/
+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->ul_src_pipe_len < 0) {
+		IPAWANERR("UL src pipes %d exceeding max %d\n",
+			data->ul_src_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+	/* error checking if dl_dst_pipe_len valid or not*/
+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->dl_dst_pipe_len < 0) {
+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
+			data->dl_dst_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+
 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
 	data->ipa_client,
 	data->ul_src_pipe_len,