shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-09 04:10:18 +09:00
Code Issues Packages Projects Releases Wiki Activity

ANDROID: usb: gadget: f_mtp: Return error if count is negative

Browse Source 
If the user passes in a negative file size in a int64,
this will compare to be smaller than buffer length,
and it will get truncated to form a read length that
is larger than the buffer length.

To fix, return -EINVAL if the count argument is negative,
so the loop will never happen.

Bug: 37429972
Test: Test with PoC
Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
(cherry picked from commit 34e65b671b)
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
This commit is contained in:
Jerry Zhang
2017-09-27 11:49:44 -07:00
committed by Amit Pundir
parent 8f2aa58a67
commit afe4c8d03b
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/usb/gadget/function/f_mtp.c
View File

@@ -729,6 +729,11 @@ static void send_file_work(struct work_struct *data)
offset = dev->xfer_file_offset;
count = dev->xfer_file_length;
if (count < 0) {
dev->xfer_result = -EINVAL;
return;
}
DBG(cdev, "send_file_work(%lld %lld)\n", offset, count);
if (dev->xfer_send_header) {
@@ -835,6 +840,11 @@ static void receive_file_work(struct work_struct *data)
offset = dev->xfer_file_offset;
count = dev->xfer_file_length;
if (count < 0) {
dev->xfer_result = -EINVAL;
return;
}
DBG(cdev, "receive_file_work(%lld)\n", count);
while (count > 0 || write_req) {