diff options
| author | Neeraj Soni <neersoni@codeaurora.org> | 2016-11-28 18:23:33 +0530 |
|---|---|---|
| committer | David C. Park <davidc.park@lge.com> | 2017-05-02 16:09:10 -0700 |
| commit | 46bc2c341a3f24e0f97ed003380d4b8ace6fa1ba (patch) | |
| tree | 204f3397093fc5a32561ff5605ce300754b541af | |
| parent | 787338f1960c46357eb478c04a3bc04112444695 (diff) | |
qcrypto: protect potential integer overflow.android-wear-7.1.1_r0.26
Adding user passed parameters without check might
lead to Integer overflow and unpredictable system
behaviour.
CVE-2016-10230
Change-Id: Iaf8259e3c4a157e1790f1447b1b62a646988b7c4
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
| -rw-r--r-- | drivers/crypto/msm/qce50.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c index 8e75dc45e7f8..152719817bed 100644 --- a/drivers/crypto/msm/qce50.c +++ b/drivers/crypto/msm/qce50.c @@ -4506,6 +4506,12 @@ int qce_aead_req(void *handle, struct qce_req *q_req) else q_req->cryptlen = areq->cryptlen - authsize; + if ((q_req->cryptlen > UINT_MAX - areq->assoclen) || + (q_req->cryptlen + areq->assoclen > UINT_MAX - ivsize)) { + pr_err("Integer overflow on total aead req length.\n"); + return -EINVAL; + } + totallen = q_req->cryptlen + areq->assoclen + ivsize; if (pce_dev->support_cmd_dscr) { |