From: Johan Hovold Date: Fri, 27 Mar 2015 11:41:18 +0000 (+0100) Subject: greybus: operation: fix incoming request payload size X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=cfa79699cdef2e006f8414587c0e4d62209e4897;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git greybus: operation: fix incoming request payload size Fix the payload size of incoming requests, which should not include the operation message-header size. When creating requests we pass the sizes of request and response payloads and greybus core allocates buffers and adds the required headers. Specifically, the payload sizes do not include the message-header size. This is currently not the case for incoming requests however, something which prevents protocol drivers from implementing appropriate input verification and could lead to random data being treated as a valid message in case of a short request. Signed-off-by: Johan Hovold Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index cb0c87aa4f98..8e37d144c89f 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -567,9 +567,13 @@ EXPORT_SYMBOL_GPL(gb_operation_create); static struct gb_operation * gb_operation_create_incoming(struct gb_connection *connection, u16 id, - u8 type, void *data, size_t request_size) + u8 type, void *data, size_t size) { struct gb_operation *operation; + size_t request_size; + + /* Caller has made sure we at least have a message header. */ + request_size = size - sizeof(struct gb_operation_msg_hdr); operation = gb_operation_create_common(connection, GB_OPERATION_TYPE_INVALID, @@ -577,7 +581,7 @@ gb_operation_create_incoming(struct gb_connection *connection, u16 id, if (operation) { operation->id = id; operation->type = type; - memcpy(operation->request->header, data, request_size); + memcpy(operation->request->header, data, size); } return operation;