msm: ipa: fix the potential heap overflow on wan-driver
Add a check on rmnet_ipa3_set_tether_client_pipe API
to make sure not accessing more than QMI_IPA_MAX_PIPES_V01
entries when user-space module tries to set pipe index
more than QMI_IPA_MAX_PIPES_V01.
Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
index 3e1a8fb..9a400d9 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
@@ -2681,6 +2681,23 @@
{
int number, i;
+ /* error checking if ul_src_pipe_len valid or not*/
+ if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+ data->ul_src_pipe_len < 0) {
+ IPAWANERR("UL src pipes %d exceeding max %d\n",
+ data->ul_src_pipe_len,
+ QMI_IPA_MAX_PIPES_V01);
+ return -EFAULT;
+ }
+ /* error checking if dl_dst_pipe_len valid or not*/
+ if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+ data->dl_dst_pipe_len < 0) {
+ IPAWANERR("DL dst pipes %d exceeding max %d\n",
+ data->dl_dst_pipe_len,
+ QMI_IPA_MAX_PIPES_V01);
+ return -EFAULT;
+ }
+
IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
data->ipa_client,
data->ul_src_pipe_len,