summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOhad Ben-Cohen <ohad@wizery.com>2012-02-28 15:16:48 +0100
committerOhad Ben-Cohen <ohad@wizery.com>2012-02-28 18:10:04 +0100
commit9648224e564aa0d6e3a803bd0e056802cc97297c (patch)
tree2d097e820dbbc0e8ee65e9e53306e69331c29b9b
parentrpmsg: fix name service endpoint leak (diff)
downloadlinux-9648224e564aa0d6e3a803bd0e056802cc97297c.tar.xz
linux-9648224e564aa0d6e3a803bd0e056802cc97297c.zip
rpmsg: validate incoming message length before propagating
When an inbound message arrives, validate its reported length before propagating it, otherwise buggy (or malicious) remote processors might trick us into accessing memory which we really shouldn't. Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com> Cc: Grant Likely <grant.likely@secretlab.ca> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Mark Grosen <mgrosen@ti.com> Cc: Suman Anna <s-anna@ti.com> Cc: Fernando Guzman Lugo <fernando.lugo@ti.com> Cc: Rob Clark <rob@ti.com> Cc: Ludovic BARRE <ludovic.barre@stericsson.com> Cc: Loic PALLARDY <loic.pallardy@stericsson.com> Cc: Omar Ramirez Luna <omar.luna@linaro.org>
-rw-r--r--drivers/rpmsg/virtio_rpmsg_bus.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
index 4db9cf8754a0..1e8b8b618674 100644
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -778,6 +778,16 @@ static void rpmsg_recv_done(struct virtqueue *rvq)
print_hex_dump(KERN_DEBUG, "rpmsg_virtio RX: ", DUMP_PREFIX_NONE, 16, 1,
msg, sizeof(*msg) + msg->len, true);
+ /*
+ * We currently use fixed-sized buffers, so trivially sanitize
+ * the reported payload length.
+ */
+ if (len > RPMSG_BUF_SIZE ||
+ msg->len > (len - sizeof(struct rpmsg_hdr))) {
+ dev_warn(dev, "inbound msg too big: (%d, %d)\n", len, msg->len);
+ return;
+ }
+
/* use the dst addr to fetch the callback of the appropriate user */
mutex_lock(&vrp->endpoints_lock);
ept = idr_find(&vrp->endpoints, msg->dst);