greybus: operation: fix incoming request payload size

Fix the payload size of incoming requests, which should not include the
operation message-header size.

When creating requests we pass the sizes of request and response
payloads and greybus core allocates buffers and adds the required
headers. Specifically, the payload sizes do not include the
message-header size.

This is currently not the case for incoming requests however, something
which prevents protocol drivers from implementing appropriate input
verification and could lead to random data being treated as a valid
message in case of a short request.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index cb0c87aa4f986c6c2a1f4d73d6268e8d1f0dde17..8e37d144c89f41860504c61802d914c15c929578 100644 (file)
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -567,9 +567,13 @@ EXPORT_SYMBOL_GPL(gb_operation_create);
 
 static struct gb_operation *
 gb_operation_create_incoming(struct gb_connection *connection, u16 id,
-                               u8 type, void *data, size_t request_size)
+                               u8 type, void *data, size_t size)
 {
        struct gb_operation *operation;
+       size_t request_size;
+
+       /* Caller has made sure we at least have a message header. */
+       request_size = size - sizeof(struct gb_operation_msg_hdr);
 
        operation = gb_operation_create_common(connection,
                                        GB_OPERATION_TYPE_INVALID,
@@ -577,7 +581,7 @@ gb_operation_create_incoming(struct gb_connection *connection, u16 id,
        if (operation) {
                operation->id = id;
                operation->type = type;
-               memcpy(operation->request->header, data, request_size);
+               memcpy(operation->request->header, data, size);
        }
 
        return operation;