soc: qcom: qmi_encdec: Restrict string length in decode

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The QMI TLV value for strings in a lot of qmi element info structures
account for null terminated strings with MAX_LEN + 1. If a string is
actually MAX_LEN + 1 length, this will cause an out of bounds access
when the NULL character is appended in decoding.

Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Chris Lew <quic_clew@quicinc.com>
Signed-off-by: Praveenkumar I <quic_ipkumar@quicinc.com>
Link: https://lore.kernel.org/r/20230801064712.3590128-1-quic_ipkumar@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>

authored by

Chris Lew and committed by

Bjorn Andersson 2 years ago 8d207400 5f908786

+2 -2

1 changed file

expand all

drivers

soc

qcom

qmi_encdec.c

+2 -2

drivers/soc/qcom/qmi_encdec.c

··· 534 534 decoded_bytes += rc; 535 535 } 536 536 537 - if (string_len > temp_ei->elem_len) { 538 - pr_err("%s: String len %d > Max Len %d\n", 537 + if (string_len >= temp_ei->elem_len) { 538 + pr_err("%s: String len %d >= Max Len %d\n", 539 539 __func__, string_len, temp_ei->elem_len); 540 540 return -ETOOSMALL; 541 541 } else if (string_len > tlv_len) {

Configure Feed

Configure Feed