commit bd3627dae5f1a34e0284cfe167f61273ecc2f386
author Mohammed Javid <mjavid@codeaurora.org> Fri Mar 16 11:24:27 2018 +0530
committer Mohammed Javid <mjavid@codeaurora.org> Mon Mar 19 22:42:52 2018 +0530
tree a6389d6e6af7ba8e6c9193680cf332649153caf6
parent 4b19ee48c6df14b141d85255af6aa08da2738438

msm: ipa3: Fix to validate the user inputs

Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.

Change-Id: I47b97973a3ea66b1627a323f77778b295c7765a4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

drivers/platform/msm/ipa/ipa_v3/ipa_nat.c

diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
index c2daa05..19d3d30 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -31,6 +31,13 @@
 #define IPA_IPV6CT_MAX_NUM_OF_INIT_CMD_DESC 2
 #define IPA_MAX_NUM_OF_TABLE_DMA_CMD_DESC 4
 
+/*
+ * The base table max entries is limited by index into table 13 bits number.
+ * Limit the memory size required by user to prevent kernel memory starvation
+ */
+#define IPA_TABLE_MAX_ENTRIES 8192
+#define MAX_ALLOC_NAT_SIZE(size) (IPA_TABLE_MAX_ENTRIES * size)
+
 enum ipa_nat_ipv6ct_table_type {
 	IPA_NAT_BASE_TBL = 0,
 	IPA_NAT_EXPN_TBL = 1,
@@ -338,10 +345,12 @@
 }
 
 static int ipa3_nat_ipv6ct_allocate_mem(struct ipa3_nat_ipv6ct_common_mem *dev,
-	struct ipa_ioc_nat_ipv6ct_table_alloc *table_alloc)
+	struct ipa_ioc_nat_ipv6ct_table_alloc *table_alloc,
+	enum ipahal_nat_type nat_type)
 {
 	gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO;
 	int result = 0;
+	size_t nat_entry_size;
 
 	IPADBG("passed memory size %zu for %s\n",
 		table_alloc->size, dev->name);
@@ -358,6 +367,15 @@
 		goto bail;
 	}
 
+	ipahal_nat_entry_size(nat_type, &nat_entry_size);
+	if (table_alloc->size > MAX_ALLOC_NAT_SIZE(nat_entry_size)) {
+		IPAERR("Trying allocate more size = %zu, Max allowed = %zu\n",
+				table_alloc->size,
+				MAX_ALLOC_NAT_SIZE(nat_entry_size));
+		result = -EPERM;
+		goto bail;
+	}
+
 	if (!table_alloc->size) {
 		IPAERR_RL("Invalid Parameters\n");
 		result = -EPERM;
@@ -433,7 +451,8 @@
 
 	mutex_lock(&nat_ctx->dev.lock);
 
-	result = ipa3_nat_ipv6ct_allocate_mem(&nat_ctx->dev, table_alloc);
+	result = ipa3_nat_ipv6ct_allocate_mem(&nat_ctx->dev, table_alloc,
+							IPAHAL_NAT_IPV4);
 	if (result)
 		goto bail;
 
@@ -507,7 +526,7 @@
 	mutex_lock(&ipa3_ctx->ipv6ct_mem.dev.lock);
 
 	result = ipa3_nat_ipv6ct_allocate_mem(
-		&ipa3_ctx->ipv6ct_mem.dev, table_alloc);
+		&ipa3_ctx->ipv6ct_mem.dev, table_alloc, IPAHAL_NAT_IPV6CT);
 	if (result)
 		goto bail;