diff options
author | Nick Chung <nickchung@google.com> | 2024-02-25 11:47:02 +0800 |
---|---|---|
committer | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2024-02-27 18:39:48 +0000 |
commit | 474c5e80e2c048df24570e7150a580a82e0439b8 (patch) | |
tree | 11790ca33f8aa91e3b2988db0c8c536367bfe6f1 | |
parent | c9fbdbf0f5252007b0aa2ea6df36414520226597 (diff) | |
download | lwis-android-gs-bluejay-5.10-android15-dp.tar.gz |
Transaction: Add overflow protection to read_entriesandroid-u-qpr3-beta-2.1_r0.7android-u-qpr3-beta-2.1_r0.5android-u-qpr3-beta-2.1_r0.4android-u-qpr3-beta-2.1_r0.3android-u-qpr3-beta-2.1_r0.2android-u-qpr3-beta-2.1_r0.1android-15-beta-1_r0.6android-15-beta-1_r0.4android-15-beta-1_r0.2android-15-beta-1_r0.1android-gs-tangorpro-5.10-android15-dpandroid-gs-tangorpro-5.10-android15-betaandroid-gs-tangorpro-5.10-android14-qpr3-betaandroid-gs-raviole-5.10-android14-qpr3-betaandroid-gs-pantah-5.10-android15-dpandroid-gs-pantah-5.10-android15-betaandroid-gs-pantah-5.10-android14-qpr3-betaandroid-gs-lynx-5.10-android14-qpr3-betaandroid-gs-felix-5.10-android15-dpandroid-gs-felix-5.10-android15-betaandroid-gs-felix-5.10-android14-qpr3-betaandroid-gs-bluejay-5.10-android15-dpandroid-gs-bluejay-5.10-android15-betaandroid-gs-bluejay-5.10-android14-qpr3-beta
Validates read_entries and read_buf_size to ensure
they don't exceed reasonable limits that could trigger overflow.
Adds explicit checks before the calculation to detect potential integer overflows.
Bug: 322327963
Test: CTS/PTS, GCA_SMOKE TEST
Change-Id: I1b2e99cc83cfd751d3a82e501dbd64ddfebd039f
Signed-off-by: Nick Chung <nickchung@google.com>
(cherry picked from commit e7a59eba1ba9c49d9500935907056fc69ce3a012)
-rw-r--r-- | lwis_transaction.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/lwis_transaction.c b/lwis_transaction.c index 823de12..c6ccd42 100644 --- a/lwis_transaction.c +++ b/lwis_transaction.c @@ -888,6 +888,15 @@ static int prepare_response_locked(struct lwis_client *client, struct lwis_trans /* Event response payload consists of header, and address and offset pairs. */ resp_size = sizeof(struct lwis_transaction_response_header) + read_entries * sizeof(struct lwis_io_result) + read_buf_size; + + if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) { + return -EOVERFLOW; + } + + if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) - + read_entries * sizeof(struct lwis_io_result)) { + return -EOVERFLOW; + } /* * Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is * because this function can be called by transaction_replace while |