greybus: uart: add max-payload sanity check

Let's be well behaved and add a sanity check on the maximum greybus
payload size to avoid underflow on the calculated buffer size.

Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c
index 52cc9d581ca4921118ff800b5a4b5f53b0cdba9d..60617cb69a5a9ebffe32204c90738b047e450696 100644 (file)
--- a/drivers/staging/greybus/uart.c
+++ b/drivers/staging/greybus/uart.c
@@ -587,6 +587,7 @@ static void gb_tty_exit(void);
 
 static int gb_uart_connection_init(struct gb_connection *connection)
 {
+       size_t max_payload;
        struct gb_tty *gb_tty;
        struct device *tty_dev;
        int retval;
@@ -607,8 +608,13 @@ static int gb_uart_connection_init(struct gb_connection *connection)
                goto error_alloc;
        }
 
-       gb_tty->buffer_payload_max =
-               gb_operation_get_payload_size_max(connection) -
+       max_payload = gb_operation_get_payload_size_max(connection);
+       if (max_payload < sizeof(struct gb_uart_send_data_request)) {
+               retval = -EINVAL;
+               goto error_payload;
+       }
+
+       gb_tty->buffer_payload_max = max_payload -
                        sizeof(struct gb_uart_send_data_request);
 
        gb_tty->buffer = kzalloc(gb_tty->buffer_payload_max, GFP_KERNEL);