diff options
Diffstat (limited to 'samsung-ipc/devices/xmm626')
-rw-r--r-- | samsung-ipc/devices/xmm626/xmm626.h | 1 | ||||
-rw-r--r-- | samsung-ipc/devices/xmm626/xmm626_sec_modem.c | 4 | ||||
-rw-r--r-- | samsung-ipc/devices/xmm626/xmm626_sec_modem.h | 2 |
3 files changed, 7 insertions, 0 deletions
diff --git a/samsung-ipc/devices/xmm626/xmm626.h b/samsung-ipc/devices/xmm626/xmm626.h index e93aca3..2648cc1 100644 --- a/samsung-ipc/devices/xmm626/xmm626.h +++ b/samsung-ipc/devices/xmm626/xmm626.h @@ -26,6 +26,7 @@ #define XMM626_SEC_END_MAGIC 0x0000 #define XMM626_HW_RESET_MAGIC 0x111001 #define XMM626_DATA_SIZE 0x1000 +#define XMM626_DATA_SIZE_LIMIT 0x80000 #define XMM626_COMMAND_SET_PORT_CONFIG 0x86 #define XMM626_COMMAND_SEC_START 0x204 diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c index eedce07..ffe46a5 100644 --- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.c +++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.c @@ -360,6 +360,10 @@ int xmm626_sec_modem_rfs_recv(struct ipc_client *client, } header = (struct ipc_rfs_header *) buffer; + if (header->length > XMM626_DATA_SIZE_LIMIT) { + ipc_client_log(client, "Invalid RFS header length: %u", header->length); + goto error; + } ipc_rfs_message_setup(header, message); diff --git a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h index 6d4ce12..ed2af82 100644 --- a/samsung-ipc/devices/xmm626/xmm626_sec_modem.h +++ b/samsung-ipc/devices/xmm626/xmm626_sec_modem.h @@ -20,6 +20,8 @@ #ifndef __XMM626_SEC_MODEM_H__ #define __XMM626_SEC_MODEM_H__ +#define XMM626_SEC_MODEM_BUFFER_SIZE_MAX 0x80000 + #define XMM626_SEC_MODEM_BOOT0_DEVICE "/dev/umts_boot0" #define XMM626_SEC_MODEM_BOOT1_DEVICE "/dev/umts_boot1" #define XMM626_SEC_MODEM_IPC0_DEVICE "/dev/umts_ipc0" |