From 9c72075db1e335e936ae72f6d8bcf18b1e5a254e Mon Sep 17 00:00:00 2001 From: Paul Kocialkowski Date: Sat, 2 Aug 2014 16:19:28 +0200 Subject: devices: Size limit when reading RFS data Signed-off-by: Paul Kocialkowski --- samsung-ipc/devices/aries/aries.c | 4 ++++ samsung-ipc/devices/aries/aries.h | 1 + samsung-ipc/devices/crespo/crespo.c | 4 ++-- samsung-ipc/devices/xmm626/xmm626.h | 1 + samsung-ipc/devices/xmm626/xmm626_sec_modem.c | 4 ++++ samsung-ipc/devices/xmm626/xmm626_sec_modem.h | 2 ++ 6 files changed, 14 insertions(+), 2 deletions(-) diff --git a/samsung-ipc/devices/aries/aries.c b/samsung-ipc/devices/aries/aries.c index 99b60c7..c285ba6 100644 --- a/samsung-ipc/devices/aries/aries.c +++ b/samsung-ipc/devices/aries/aries.c @@ -435,6 +435,10 @@ int aries_rfs_recv(struct ipc_client *client, struct ipc_message *message) } header = (struct ipc_rfs_header *) buffer; + if (header->length > ARIES_DATA_SIZE_LIMIT) { + ipc_client_log(client, "Invalid RFS header length: %u", header->length); + goto error; + } ipc_rfs_message_setup(header, message); diff --git a/samsung-ipc/devices/aries/aries.h b/samsung-ipc/devices/aries/aries.h index efa7870..263f0ae 100644 --- a/samsung-ipc/devices/aries/aries.h +++ b/samsung-ipc/devices/aries/aries.h @@ -32,6 +32,7 @@ #define ARIES_ONEDRAM_DEINIT 0xABCDABCD #define ARIES_SOCKET_RFS_MAGIC 0x80000 #define ARIES_BUFFER_LENGTH 4032 +#define ARIES_DATA_SIZE_LIMIT 0x80000 #define SO_IPC_RFS 0x21 #define ARIES_MODEM_FMT_SPN 0x01 diff --git a/samsung-ipc/devices/crespo/crespo.c b/samsung-ipc/devices/crespo/crespo.c index 97c1541..31bf273 100644 --- a/samsung-ipc/devices/crespo/crespo.c +++ b/samsung-ipc/devices/crespo/crespo.c @@ -180,7 +180,7 @@ int crespo_fmt_recv(struct ipc_client *client, struct ipc_message *message) mio.data = calloc(1, mio.size); rc = client->handlers->read(client->handlers->transport_data, &mio, sizeof(struct modem_io) + mio.size); - if (rc < 0 || mio.data == NULL || mio.size < sizeof(struct ipc_fmt_header)) { + if (rc < 0 || mio.data == NULL || mio.size < sizeof(struct ipc_fmt_header) || mio.size > CRESPO_BUFFER_LENGTH) { ipc_client_log(client, "Reading FMT data failed"); goto error; } @@ -264,7 +264,7 @@ int crespo_rfs_recv(struct ipc_client *client, struct ipc_message *message) mio.data = calloc(1, mio.size); rc = client->handlers->read(client->handlers->transport_data, &mio, sizeof(struct modem_io) + mio.size); - if (rc < 0 || mio.data == NULL || mio.size <= 0) { + if (rc < 0 || mio.data == NULL || mio.size <= 0 || mio.size > CRESPO_BUFFER_LENGTH) { ipc_client_log(client, "Reading RFS data failed"); goto error; } diff --git a/samsung-ipc/devices/xmm626/xmm626.h b/samsung-ipc/devices/xmm626/xmm626.h index e93aca3..2648cc1 100644 --- a/samsung-ipc/devices/xmm626/xmm626.h +++ b/samsung-ipc/devices/xmm626/xmm626.h @@ -26,6 +26,7 @@ #define XMM626_SEC_END_MAGIC 0x0000 #define XMM626_HW_RESET_MAGIC 0x111001 #define XMM626_DATA_SIZE 0x1000 +#define XMM626_DATA_SIZE_LIMIT 0x80000 #define XMM626_COMMAND_SET_PORT_CONFIG 0x86 #define XMM626_COMMAND_SEC_START 0x204 diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c index eedce07..ffe46a5 100644 --- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c +++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c @@ -360,6 +360,10 @@ int xmm626_sec_modem_rfs_recv(struct ipc_client *client, } header = (struct ipc_rfs_header *) buffer; + if (header->length > XMM626_DATA_SIZE_LIMIT) { + ipc_client_log(client, "Invalid RFS header length: %u", header->length); + goto error; + } ipc_rfs_message_setup(header, message); diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h index 6d4ce12..ed2af82 100644 --- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h +++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h @@ -20,6 +20,8 @@ #ifndef __XMM626_SEC_MODEM_H__ #define __XMM626_SEC_MODEM_H__ +#define XMM626_SEC_MODEM_BUFFER_SIZE_MAX 0x80000 + #define XMM626_SEC_MODEM_BOOT0_DEVICE "/dev/umts_boot0" #define XMM626_SEC_MODEM_BOOT1_DEVICE "/dev/umts_boot1" #define XMM626_SEC_MODEM_IPC0_DEVICE "/dev/umts_ipc0" -- cgit v1.1