Merge "soc: qcom: Avoid possible buffer overflow in service-locator" into msm-4.9

commit: f95e89730009e0edec1d5b290924f01b9bbc80c0 [log] [tgz]
author: Kyle Yan <kyan@quicinc.com> Thu Mar 30 21:47:45 2017 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Thu Mar 30 21:47:45 2017 -0700
tree: 77c1916abd7c87c916eeaeae3d6bf231290d7fa5
parent: 7849bb199f96f8d8a62676fbc20b46a25d98277c [diff]
parent: 57c02ee800deca8f72c6573849c78ba5e5e8a6b5 [diff]
diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c
index 10caf22..8e9ad9b 100644
--- a/drivers/soc/qcom/service-locator.c
+++ b/drivers/soc/qcom/service-locator.c

@@ -266,10 +266,12 @@
 		if (!domains_read) {
 			db_rev_count = pd->db_rev_count = resp->db_rev_count;
 			pd->total_domains = resp->total_domains;
-			if (!pd->total_domains && resp->domain_list_len) {
-				pr_err("total domains not set\n");
-				pd->total_domains = resp->domain_list_len;
+			if (!resp->total_domains) {
+				pr_err("No matching domains found\n");
+				rc = -EIO;
+				goto out;
 			}
+
 			pd->domain_list = kmalloc(
 					sizeof(struct servreg_loc_entry_v01) *
 					resp->total_domains, GFP_KERNEL);
@@ -286,6 +288,10 @@
 			rc = -EAGAIN;
 			goto out;
 		}
+		if (resp->domain_list_len >  resp->total_domains) {
+			/* Always read total_domains from the response msg */
+			resp->domain_list_len = resp->total_domains;
+		}
 		/* Copy the response*/
 		store_get_domain_list_response(pd, resp, domains_read);
 		domains_read += resp->domain_list_len;
commit	f95e89730009e0edec1d5b290924f01b9bbc80c0	[log] [tgz]
author	Kyle Yan <kyan@quicinc.com>	Thu Mar 30 21:47:45 2017 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Thu Mar 30 21:47:45 2017 -0700
tree	77c1916abd7c87c916eeaeae3d6bf231290d7fa5
parent	7849bb199f96f8d8a62676fbc20b46a25d98277c [diff]
parent	57c02ee800deca8f72c6573849c78ba5e5e8a6b5 [diff]