From 9c72075db1e335e936ae72f6d8bcf18b1e5a254e Mon Sep 17 00:00:00 2001
From: Paul Kocialkowski <contact@paulk.fr>
Date: Sat, 2 Aug 2014 16:19:28 +0200
Subject: devices: Size limit when reading RFS data

Signed-off-by: Paul Kocialkowski <contact@paulk.fr>
---
 samsung-ipc/devices/crespo/crespo.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'samsung-ipc/devices/crespo/crespo.c')

diff --git a/samsung-ipc/devices/crespo/crespo.c b/samsung-ipc/devices/crespo/crespo.c
index 97c1541..31bf273 100644
--- a/samsung-ipc/devices/crespo/crespo.c
+++ b/samsung-ipc/devices/crespo/crespo.c
@@ -180,7 +180,7 @@ int crespo_fmt_recv(struct ipc_client *client, struct ipc_message *message)
     mio.data = calloc(1, mio.size);
 
     rc = client->handlers->read(client->handlers->transport_data, &mio, sizeof(struct modem_io) + mio.size);
-    if (rc < 0 || mio.data == NULL || mio.size < sizeof(struct ipc_fmt_header)) {
+    if (rc < 0 || mio.data == NULL || mio.size < sizeof(struct ipc_fmt_header) || mio.size > CRESPO_BUFFER_LENGTH) {
         ipc_client_log(client, "Reading FMT data failed");
         goto error;
     }
@@ -264,7 +264,7 @@ int crespo_rfs_recv(struct ipc_client *client, struct ipc_message *message)
     mio.data = calloc(1, mio.size);
 
     rc = client->handlers->read(client->handlers->transport_data, &mio, sizeof(struct modem_io) + mio.size);
-    if (rc < 0 || mio.data == NULL || mio.size <= 0) {
+    if (rc < 0 || mio.data == NULL || mio.size <= 0 || mio.size > CRESPO_BUFFER_LENGTH) {
         ipc_client_log(client, "Reading RFS data failed");
         goto error;
     }
-- 
cgit v1.1