diff options
author | Paul Kocialkowski <contact@paulk.fr> | 2014-08-02 16:19:28 +0200 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2014-08-02 16:19:28 +0200 |
commit | 9c72075db1e335e936ae72f6d8bcf18b1e5a254e (patch) | |
tree | 6528ed4521af87a92674c42758daedf929fc3ce9 /samsung-ipc/devices/xmm626 | |
parent | 5bd35c74cbe3aed1dc8010f42c593e3b2f0add99 (diff) | |
download | external_libsamsung-ipc-9c72075db1e335e936ae72f6d8bcf18b1e5a254e.zip external_libsamsung-ipc-9c72075db1e335e936ae72f6d8bcf18b1e5a254e.tar.gz external_libsamsung-ipc-9c72075db1e335e936ae72f6d8bcf18b1e5a254e.tar.bz2 |
devices: Size limit when reading RFS data
Signed-off-by: Paul Kocialkowski <contact@paulk.fr>
Diffstat (limited to 'samsung-ipc/devices/xmm626')
-rw-r--r-- | samsung-ipc/devices/xmm626/xmm626.h | 1 | ||||
-rw-r--r-- | samsung-ipc/devices/xmm626/xmm626_sec_modem.c | 4 | ||||
-rw-r--r-- | samsung-ipc/devices/xmm626/xmm626_sec_modem.h | 2 |
3 files changed, 7 insertions, 0 deletions
diff --git a/samsung-ipc/devices/xmm626/xmm626.h b/samsung-ipc/devices/xmm626/xmm626.h index e93aca3..2648cc1 100644 --- a/samsung-ipc/devices/xmm626/xmm626.h +++ b/samsung-ipc/devices/xmm626/xmm626.h @@ -26,6 +26,7 @@ #define XMM626_SEC_END_MAGIC 0x0000 #define XMM626_HW_RESET_MAGIC 0x111001 #define XMM626_DATA_SIZE 0x1000 +#define XMM626_DATA_SIZE_LIMIT 0x80000 #define XMM626_COMMAND_SET_PORT_CONFIG 0x86 #define XMM626_COMMAND_SEC_START 0x204 diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c index eedce07..ffe46a5 100644 --- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c +++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c @@ -360,6 +360,10 @@ int xmm626_sec_modem_rfs_recv(struct ipc_client *client, } header = (struct ipc_rfs_header *) buffer; + if (header->length > XMM626_DATA_SIZE_LIMIT) { + ipc_client_log(client, "Invalid RFS header length: %u", header->length); + goto error; + } ipc_rfs_message_setup(header, message); diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h index 6d4ce12..ed2af82 100644 --- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h +++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h @@ -20,6 +20,8 @@ #ifndef __XMM626_SEC_MODEM_H__ #define __XMM626_SEC_MODEM_H__ +#define XMM626_SEC_MODEM_BUFFER_SIZE_MAX 0x80000 + #define XMM626_SEC_MODEM_BOOT0_DEVICE "/dev/umts_boot0" #define XMM626_SEC_MODEM_BOOT1_DEVICE "/dev/umts_boot1" #define XMM626_SEC_MODEM_IPC0_DEVICE "/dev/umts_ipc0" |