From 7f1f5edd886896e904351b97e09c93a66e338716 Mon Sep 17 00:00:00 2001 From: Krishnankutty Kolathappilly <kkolatha@codeaurora.org> Date: Thu, 9 Apr 2015 20:02:13 -0700 Subject: [PATCH] msm: cpp: Add missing error handling checks Check for validity of length of ioctl pointer. Change-Id: I6103a5ad7a9842b1a2de8bdb53959df8a5f5cfcc Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org> --- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c index 1ff49416b90a..2214a8df82b5 100644 --- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2014, 2016 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1695,6 +1695,11 @@ static int msm_cpp_copy_from_ioctl_ptr(void *dst_ptr, struct msm_camera_v4l2_ioctl_t *ioctl_ptr) { int ret; + if ((ioctl_ptr->ioctl_ptr == NULL) || (ioctl_ptr->len == 0)) { + pr_err("%s: Wrong ioctl_ptr %p / len %zu\n", __func__, + ioctl_ptr, ioctl_ptr->len); + return -EINVAL; + } /* For compat task, source ptr is in kernel space */ if (is_compat_task()) { @@ -1714,6 +1719,12 @@ static int msm_cpp_copy_from_ioctl_ptr(void *dst_ptr, { int ret; + if ((ioctl_ptr->ioctl_ptr == NULL) || (ioctl_ptr->len == 0)) { + pr_err("%s: Wrong ioctl_ptr %p / len %zu\n", __func__, + ioctl_ptr, ioctl_ptr->len); + return -EINVAL; + } + ret = copy_from_user(dst_ptr, (void __user *)ioctl_ptr->ioctl_ptr, ioctl_ptr->len); if (ret) @@ -2046,6 +2057,10 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd, struct msm_pproc_queue_buf_info queue_buf_info; CPP_DBG("VIDIOC_MSM_CPP_QUEUE_BUF\n"); + if (ioctl_ptr->len != sizeof(struct msm_pproc_queue_buf_info)) { + pr_err("%s: Not valid ioctl_ptr->len\n", __func__); + return -EINVAL; + } rc = msm_cpp_copy_from_ioctl_ptr(&queue_buf_info, ioctl_ptr); if (rc) { ERR_COPY_FROM_USER(); -- GitLab