aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--samsung-ipc/devices/aries/aries.c4
-rw-r--r--samsung-ipc/devices/aries/aries.h1
-rw-r--r--samsung-ipc/devices/crespo/crespo.c4
-rw-r--r--samsung-ipc/devices/xmm626/xmm626.h1
-rw-r--r--samsung-ipc/devices/xmm626/xmm626_sec_modem.c4
-rw-r--r--samsung-ipc/devices/xmm626/xmm626_sec_modem.h2
6 files changed, 14 insertions, 2 deletions
diff --git a/samsung-ipc/devices/aries/aries.c b/samsung-ipc/devices/aries/aries.c
index 99b60c7..c285ba6 100644
--- a/samsung-ipc/devices/aries/aries.c
+++ b/samsung-ipc/devices/aries/aries.c
@@ -435,6 +435,10 @@ int aries_rfs_recv(struct ipc_client *client, struct ipc_message *message)
}
header = (struct ipc_rfs_header *) buffer;
+ if (header->length > ARIES_DATA_SIZE_LIMIT) {
+ ipc_client_log(client, "Invalid RFS header length: %u", header->length);
+ goto error;
+ }
ipc_rfs_message_setup(header, message);
diff --git a/samsung-ipc/devices/aries/aries.h b/samsung-ipc/devices/aries/aries.h
index efa7870..263f0ae 100644
--- a/samsung-ipc/devices/aries/aries.h
+++ b/samsung-ipc/devices/aries/aries.h
@@ -32,6 +32,7 @@
#define ARIES_ONEDRAM_DEINIT 0xABCDABCD
#define ARIES_SOCKET_RFS_MAGIC 0x80000
#define ARIES_BUFFER_LENGTH 4032
+#define ARIES_DATA_SIZE_LIMIT 0x80000
#define SO_IPC_RFS 0x21
#define ARIES_MODEM_FMT_SPN 0x01
diff --git a/samsung-ipc/devices/crespo/crespo.c b/samsung-ipc/devices/crespo/crespo.c
index 97c1541..31bf273 100644
--- a/samsung-ipc/devices/crespo/crespo.c
+++ b/samsung-ipc/devices/crespo/crespo.c
@@ -180,7 +180,7 @@ int crespo_fmt_recv(struct ipc_client *client, struct ipc_message *message)
mio.data = calloc(1, mio.size);
rc = client->handlers->read(client->handlers->transport_data, &mio, sizeof(struct modem_io) + mio.size);
- if (rc < 0 || mio.data == NULL || mio.size < sizeof(struct ipc_fmt_header)) {
+ if (rc < 0 || mio.data == NULL || mio.size < sizeof(struct ipc_fmt_header) || mio.size > CRESPO_BUFFER_LENGTH) {
ipc_client_log(client, "Reading FMT data failed");
goto error;
}
@@ -264,7 +264,7 @@ int crespo_rfs_recv(struct ipc_client *client, struct ipc_message *message)
mio.data = calloc(1, mio.size);
rc = client->handlers->read(client->handlers->transport_data, &mio, sizeof(struct modem_io) + mio.size);
- if (rc < 0 || mio.data == NULL || mio.size <= 0) {
+ if (rc < 0 || mio.data == NULL || mio.size <= 0 || mio.size > CRESPO_BUFFER_LENGTH) {
ipc_client_log(client, "Reading RFS data failed");
goto error;
}
diff --git a/samsung-ipc/devices/xmm626/xmm626.h b/samsung-ipc/devices/xmm626/xmm626.h
index e93aca3..2648cc1 100644
--- a/samsung-ipc/devices/xmm626/xmm626.h
+++ b/samsung-ipc/devices/xmm626/xmm626.h
@@ -26,6 +26,7 @@
#define XMM626_SEC_END_MAGIC 0x0000
#define XMM626_HW_RESET_MAGIC 0x111001
#define XMM626_DATA_SIZE 0x1000
+#define XMM626_DATA_SIZE_LIMIT 0x80000
#define XMM626_COMMAND_SET_PORT_CONFIG 0x86
#define XMM626_COMMAND_SEC_START 0x204
diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c
index eedce07..ffe46a5 100644
--- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c
+++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c
@@ -360,6 +360,10 @@ int xmm626_sec_modem_rfs_recv(struct ipc_client *client,
}
header = (struct ipc_rfs_header *) buffer;
+ if (header->length > XMM626_DATA_SIZE_LIMIT) {
+ ipc_client_log(client, "Invalid RFS header length: %u", header->length);
+ goto error;
+ }
ipc_rfs_message_setup(header, message);
diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h
index 6d4ce12..ed2af82 100644
--- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h
+++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h
@@ -20,6 +20,8 @@
#ifndef __XMM626_SEC_MODEM_H__
#define __XMM626_SEC_MODEM_H__
+#define XMM626_SEC_MODEM_BUFFER_SIZE_MAX 0x80000
+
#define XMM626_SEC_MODEM_BOOT0_DEVICE "/dev/umts_boot0"
#define XMM626_SEC_MODEM_BOOT1_DEVICE "/dev/umts_boot1"
#define XMM626_SEC_MODEM_IPC0_DEVICE "/dev/umts_ipc0"