From cfa79699cdef2e006f8414587c0e4d62209e4897 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Fri, 27 Mar 2015 12:41:18 +0100 Subject: [PATCH] greybus: operation: fix incoming request payload size Fix the payload size of incoming requests, which should not include the operation message-header size. When creating requests we pass the sizes of request and response payloads and greybus core allocates buffers and adds the required headers. Specifically, the payload sizes do not include the message-header size. This is currently not the case for incoming requests however, something which prevents protocol drivers from implementing appropriate input verification and could lead to random data being treated as a valid message in case of a short request. Signed-off-by: Johan Hovold Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman --- drivers/staging/greybus/operation.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index cb0c87aa4f98..8e37d144c89f 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -567,9 +567,13 @@ EXPORT_SYMBOL_GPL(gb_operation_create); static struct gb_operation * gb_operation_create_incoming(struct gb_connection *connection, u16 id, - u8 type, void *data, size_t request_size) + u8 type, void *data, size_t size) { struct gb_operation *operation; + size_t request_size; + + /* Caller has made sure we at least have a message header. */ + request_size = size - sizeof(struct gb_operation_msg_hdr); operation = gb_operation_create_common(connection, GB_OPERATION_TYPE_INVALID, @@ -577,7 +581,7 @@ gb_operation_create_incoming(struct gb_connection *connection, u16 id, if (operation) { operation->id = id; operation->type = type; - memcpy(operation->request->header, data, request_size); + memcpy(operation->request->header, data, size); } return operation; -- 2.20.1