diff options
Diffstat (limited to 'samsung-ipc/devices/aries')
-rw-r--r-- | samsung-ipc/devices/aries/aries.c | 4 | ||||
-rw-r--r-- | samsung-ipc/devices/aries/aries.h | 1 |
2 files changed, 5 insertions, 0 deletions
diff --git a/samsung-ipc/devices/aries/aries.c b/samsung-ipc/devices/aries/aries.c index 99b60c7..c285ba6 100644 --- a/samsung-ipc/devices/aries/aries.c +++ b/samsung-ipc/devices/aries/aries.c @@ -435,6 +435,10 @@ int aries_rfs_recv(struct ipc_client *client, struct ipc_message *message) } header = (struct ipc_rfs_header *) buffer; + if (header->length > ARIES_DATA_SIZE_LIMIT) { + ipc_client_log(client, "Invalid RFS header length: %u", header->length); + goto error; + } ipc_rfs_message_setup(header, message); diff --git a/samsung-ipc/devices/aries/aries.h b/samsung-ipc/devices/aries/aries.h index efa7870..263f0ae 100644 --- a/samsung-ipc/devices/aries/aries.h +++ b/samsung-ipc/devices/aries/aries.h @@ -32,6 +32,7 @@ #define ARIES_ONEDRAM_DEINIT 0xABCDABCD #define ARIES_SOCKET_RFS_MAGIC 0x80000 #define ARIES_BUFFER_LENGTH 4032 +#define ARIES_DATA_SIZE_LIMIT 0x80000 #define SO_IPC_RFS 0x21 #define ARIES_MODEM_FMT_SPN 0x01 |