crypto: msm: Check for invalid byte offset field

There is potential for HEAP corruption when the byte offset field is set to a huge value. Change-Id: Idd851cf3ec57627aba7d8250914cd18ccdd697ec Signed-off-by: Mona Hossain <mhossain@codeaurora.org> Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
2013-06-17 23:25:33 -07:00
parent 27907426f8
commit 23d152a08e
2 changed files with 6 additions and 0 deletions
--- a/drivers/crypto/msm/qce.h
+++ b/drivers/crypto/msm/qce.h
@@ -32,6 +32,8 @@
 #define SHA256_DIGESTSIZE		32
 #define SHA1_DIGESTSIZE			20

+#define AES_CE_BLOCK_SIZE		16
+
 /* key size in bytes */
 #define HMAC_KEY_SIZE			(SHA1_DIGESTSIZE)    /* hmac-sha1 */
 #define SHA_HMAC_KEY_SIZE		64
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c
@@ -1788,6 +1788,10 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
 			if (req->use_pmem)
 				goto error;
 		}
+		if (req->byteoffset >= AES_CE_BLOCK_SIZE) {
+			pr_err("%s: Invalid byte offset\n", __func__);
+			goto error;
+		}
 	}
 	/* if using PMEM with non-zero byteoffset, ensure it is in_place_op */
 	if (req->use_pmem) {