ANDROID: usb: gadget: f_mtp: Return error if count is negative

If the user passes in a negative file size in a int64, this will compare to be smaller than buffer length, and it will get truncated to form a read length that is larger than the buffer length. To fix, return -EINVAL if the count argument is negative, so the loop will never happen. Bug: 37429972 Test: Test with PoC Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4 Signed-off-by: Jerry Zhang <zhangjerry@google.com>
author: Jerry Zhang <zhangjerry@google.com> 2017-09-25 18:14:51 -0700
committer: Mister Oyster <oysterized@gmail.com> 2017-12-08 17:34:06 +0100
commit: fe19ee87cb697194c54cd28ba67d9e97fde64e2c (patch)
tree: c580ec19b3fd1d38e41abf3b7889158291135bda /drivers/usb/gadget
parent: 62fb9f8b97d0cd3efa682fc7f53095f08b421708 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/usb/gadget/f_mtp.c b/drivers/usb/gadget/f_mtp.c
index f7e0bce68..9f695417a 100644
--- a/drivers/usb/gadget/f_mtp.c
+++ b/drivers/usb/gadget/f_mtp.c
@@ -1133,6 +1133,11 @@ static void send_file_work(struct work_struct *data)
 	offset = dev->xfer_file_offset;
 	count = dev->xfer_file_length;
 
+	if (count < 0) {
+		dev->xfer_result = -EINVAL;
+		return;
+	}
+
 	DBG(cdev, "send_file_work(%lld %lld)\n", offset, count);
 
 	if (dev->xfer_send_header) {
@@ -1308,6 +1313,11 @@ static void receive_file_work(struct work_struct *data)
 	offset = dev->xfer_file_offset;
 	count = dev->xfer_file_length;
 
+	if (count < 0) {
+		dev->xfer_result = -EINVAL;
+		return;
+	}
+
 	DBG(cdev, "receive_file_work(%lld)\n", count);
 
 	while (count > 0 || write_req) {
author	Jerry Zhang <zhangjerry@google.com>	2017-09-25 18:14:51 -0700
committer	Mister Oyster <oysterized@gmail.com>	2017-12-08 17:34:06 +0100
commit	fe19ee87cb697194c54cd28ba67d9e97fde64e2c (patch)
tree	c580ec19b3fd1d38e41abf3b7889158291135bda /drivers/usb/gadget
parent	62fb9f8b97d0cd3efa682fc7f53095f08b421708 (diff)