commit 89b7d5e8d9296db4ec63478013b2e28a11487dfb
author Linux Build Service Account <lnxbuild@localhost> Sat Jun 01 10:43:06 2013 -0700
committer Gerrit - the friendly Code Review server <code-review@localhost> Sat Jun 01 10:43:05 2013 -0700
tree 79c915c8b35db427b0d3ab2790bf31aa803e9769
parent ed196e9dddcd352fdcd82d1fd98c1eb675984fa1
parent 29dfa70e60938848c8a3fcd93644f0f3c832db2f

Merge "msm: ipc: Detect integer overflow before it happens"

arch/arm/mach-msm/ipc_socket.c

diff --git a/arch/arm/mach-msm/ipc_socket.c b/arch/arm/mach-msm/ipc_socket.c
index 042b9f1..6208563 100644
--- a/arch/arm/mach-msm/ipc_socket.c
+++ b/arch/arm/mach-msm/ipc_socket.c
@@ -55,6 +55,10 @@
 	} \
 } while (0) \
 
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 static int sockets_enabled;
 static struct proto msm_ipc_proto;
 static const struct proto_ops msm_ipc_proto_ops;
@@ -458,7 +462,8 @@
 	struct msm_ipc_port *port_ptr;
 	struct server_lookup_args server_arg;
 	struct msm_ipc_server_info *srv_info = NULL;
-	unsigned int n, srv_info_sz = 0;
+	unsigned int n;
+	size_t srv_info_sz = 0;
 	int ret;
 
 	if (!sk)
@@ -499,16 +504,16 @@
 			break;
 		}
 		if (server_arg.num_entries_in_array) {
-			srv_info_sz = server_arg.num_entries_in_array *
-					sizeof(*srv_info);
-			if ((srv_info_sz / sizeof(*srv_info)) !=
-			    server_arg.num_entries_in_array) {
+			if (server_arg.num_entries_in_array >
+				(SIZE_MAX / sizeof(*srv_info))) {
 				pr_err("%s: Integer Overflow %d * %d\n",
 					__func__, sizeof(*srv_info),
 					server_arg.num_entries_in_array);
 				ret = -EINVAL;
 				break;
 			}
+			srv_info_sz = server_arg.num_entries_in_array *
+					sizeof(*srv_info);
 			srv_info = kmalloc(srv_info_sz, GFP_KERNEL);
 			if (!srv_info) {
 				ret = -ENOMEM;

arch/arm/mach-msm/msm_ipc_router_security.c

diff --git a/arch/arm/mach-msm/msm_ipc_router_security.c b/arch/arm/mach-msm/msm_ipc_router_security.c
index 63c8cd7..5897e1f 100644
--- a/arch/arm/mach-msm/msm_ipc_router_security.c
+++ b/arch/arm/mach-msm/msm_ipc_router_security.c
@@ -32,6 +32,11 @@
 
 #define IRSC_COMPLETION_TIMEOUT_MS 30000
 #define SEC_RULES_HASH_SZ 32
+
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 struct security_rule {
 	struct list_head list;
 	uint32_t service_id;
@@ -99,7 +104,7 @@
 	struct config_sec_rules_args sec_rules_arg;
 	struct security_rule *rule, *temp_rule;
 	int key;
-	int group_info_sz;
+	size_t group_info_sz;
 	int ret;
 
 	if (current_euid())
@@ -113,12 +118,12 @@
 	if (sec_rules_arg.num_group_info <= 0)
 		return -EINVAL;
 
-	group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);
-	if ((group_info_sz / sizeof(gid_t)) != sec_rules_arg.num_group_info) {
+	if (sec_rules_arg.num_group_info > (SIZE_MAX / sizeof(gid_t))) {
 		pr_err("%s: Integer Overflow %d * %d\n", __func__,
 			sizeof(gid_t), sec_rules_arg.num_group_info);
 		return -EINVAL;
 	}
+	group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);
 
 	rule = kzalloc(sizeof(struct security_rule), GFP_KERNEL);
 	if (!rule) {