Commit cfa79699 authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman

greybus: operation: fix incoming request payload size

Fix the payload size of incoming requests, which should not include the
operation message-header size.

When creating requests we pass the sizes of request and response
payloads and greybus core allocates buffers and adds the required
headers. Specifically, the payload sizes do not include the
message-header size.

This is currently not the case for incoming requests however, something
which prevents protocol drivers from implementing appropriate input
verification and could lead to random data being treated as a valid
message in case of a short request.
Signed-off-by: default avatarJohan Hovold <johan@hovoldconsulting.com>
Reviewed-by: default avatarAlex Elder <elder@linaro.org>
Signed-off-by: default avatarGreg Kroah-Hartman <greg@kroah.com>
parent 94896676
...@@ -567,9 +567,13 @@ EXPORT_SYMBOL_GPL(gb_operation_create); ...@@ -567,9 +567,13 @@ EXPORT_SYMBOL_GPL(gb_operation_create);
static struct gb_operation * static struct gb_operation *
gb_operation_create_incoming(struct gb_connection *connection, u16 id, gb_operation_create_incoming(struct gb_connection *connection, u16 id,
u8 type, void *data, size_t request_size) u8 type, void *data, size_t size)
{ {
struct gb_operation *operation; struct gb_operation *operation;
size_t request_size;
/* Caller has made sure we at least have a message header. */
request_size = size - sizeof(struct gb_operation_msg_hdr);
operation = gb_operation_create_common(connection, operation = gb_operation_create_common(connection,
GB_OPERATION_TYPE_INVALID, GB_OPERATION_TYPE_INVALID,
...@@ -577,7 +581,7 @@ gb_operation_create_incoming(struct gb_connection *connection, u16 id, ...@@ -577,7 +581,7 @@ gb_operation_create_incoming(struct gb_connection *connection, u16 id,
if (operation) { if (operation) {
operation->id = id; operation->id = id;
operation->type = type; operation->type = type;
memcpy(operation->request->header, data, request_size); memcpy(operation->request->header, data, size);
} }
return operation; return operation;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment