msm: pcie: add the checking of userspace input length
Add the checking of the input length from userspace so kernel
space will not copy any content outside the input buffer.
Change-Id: I114ac005f5305d863bfc0d0fc2db7b5e6d683834
Signed-off-by: Tony Truong <truong@codeaurora.org>
diff --git a/drivers/pci/host/pci-msm.c b/drivers/pci/host/pci-msm.c
index 72617e8..a339496 100644
--- a/drivers/pci/host/pci-msm.c
+++ b/drivers/pci/host/pci-msm.c
@@ -2536,13 +2536,14 @@
char str[MAX_MSG_LEN];
unsigned int testcase = 0;
int i;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
testcase = (testcase * 10) + (str[i] - '0');
if (!rc_sel)
@@ -2571,13 +2572,14 @@
char str[MAX_MSG_LEN];
int i;
u32 new_rc_sel = 0;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
new_rc_sel = (new_rc_sel * 10) + (str[i] - '0');
if ((!new_rc_sel) || (new_rc_sel > rc_sel_max)) {
@@ -2614,13 +2616,14 @@
int i;
u32 new_base_sel = 0;
char *base_sel_name;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
new_base_sel = (new_base_sel * 10) + (str[i] - '0');
if (!new_base_sel || new_base_sel > 5) {
@@ -2715,14 +2718,15 @@
unsigned long ret;
char str[MAX_MSG_LEN];
int i;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
wr_offset = 0;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
wr_offset = (wr_offset * 10) + (str[i] - '0');
pr_alert("PCIe: wr_offset is now 0x%x\n", wr_offset);
@@ -2741,14 +2745,15 @@
unsigned long ret;
char str[MAX_MSG_LEN];
int i;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
wr_mask = 0;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
wr_mask = (wr_mask * 10) + (str[i] - '0');
pr_alert("PCIe: wr_mask is now 0x%x\n", wr_mask);
@@ -2766,14 +2771,15 @@
unsigned long ret;
char str[MAX_MSG_LEN];
int i;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
wr_value = 0;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
wr_value = (wr_value * 10) + (str[i] - '0');
pr_alert("PCIe: wr_value is now 0x%x\n", wr_value);
@@ -2892,14 +2898,15 @@
unsigned long ret;
char str[MAX_MSG_LEN];
int i;
+ u32 size = sizeof(str) < count ? sizeof(str) : count;
- memset(str, 0, sizeof(str));
- ret = copy_from_user(str, buf, sizeof(str));
+ memset(str, 0, size);
+ ret = copy_from_user(str, buf, size);
if (ret)
return -EFAULT;
corr_counter_limit = 0;
- for (i = 0; i < sizeof(str) && (str[i] >= '0') && (str[i] <= '9'); ++i)
+ for (i = 0; i < size && (str[i] >= '0') && (str[i] <= '9'); ++i)
corr_counter_limit = (corr_counter_limit * 10) + (str[i] - '0');
pr_info("PCIe: corr_counter_limit is now %lu\n", corr_counter_limit);