diff options
| author | Tom Hughes <tomhughes@chromium.org> | 2020-09-17 11:35:33 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-09-25 18:35:25 +0000 |
| commit | 01b7d964e5afe94450548c05ca062c35ac5fdd89 (patch) | |
| tree | 16689abd6fcdadcc122adbd024508ea58e28bd2b /common/fpsensor | |
| parent | 6b9218bc0a595e3329aa9a805065ce53592e23b3 (diff) | |
| download | chrome-ec-01b7d964e5afe94450548c05ca062c35ac5fdd89.tar.gz | |
fpsensor: Fix buffer check to account for overflow
BRANCH=none
BUG=b:144957935
TEST=make buildall
Signed-off-by: Tom Hughes <tomhughes@chromium.org>
Change-Id: I1b4fa0a715869ccc37e48d75316ef52c367aa64a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2417529
Reviewed-by: Craig Hesling <hesling@chromium.org>
Diffstat (limited to 'common/fpsensor')
| -rw-r--r-- | common/fpsensor/fpsensor.c | 14 | ||||
| -rw-r--r-- | common/fpsensor/fpsensor_private.h | 5 |
2 files changed, 15 insertions, 4 deletions
diff --git a/common/fpsensor/fpsensor.c b/common/fpsensor/fpsensor.c index bd36717707..2965b52fe9 100644 --- a/common/fpsensor/fpsensor.c +++ b/common/fpsensor/fpsensor.c @@ -18,6 +18,7 @@ #include "host_command.h" #include "link_defs.h" #include "mkbp_event.h" +#include "overflow.h" #include "spi.h" #include "system.h" #include "task.h" @@ -356,12 +357,17 @@ DECLARE_HOST_COMMAND(EC_CMD_FP_INFO, fp_command_info, BUILD_ASSERT(FP_CONTEXT_NONCE_BYTES == 12); -static int validate_fp_buffer_offset(const uint32_t buffer_size, - const uint32_t offset, const uint32_t size) +int validate_fp_buffer_offset(const uint32_t buffer_size, const uint32_t offset, + const uint32_t size) { - if (size > buffer_size || offset > buffer_size || - size + offset > buffer_size) + uint32_t bytes_requested; + + if (check_add_overflow(size, offset, &bytes_requested)) + return EC_ERROR_OVERFLOW; + + if (bytes_requested > buffer_size) return EC_ERROR_INVAL; + return EC_SUCCESS; } diff --git a/common/fpsensor/fpsensor_private.h b/common/fpsensor/fpsensor_private.h index fb97fb3bfd..a42049dece 100644 --- a/common/fpsensor/fpsensor_private.h +++ b/common/fpsensor/fpsensor_private.h @@ -8,7 +8,12 @@ #ifndef __CROS_EC_FPSENSOR_PRIVATE_H #define __CROS_EC_FPSENSOR_PRIVATE_H +#include <stdint.h> + #define CPRINTF(format, args...) cprintf(CC_FP, format, ## args) #define CPRINTS(format, args...) cprints(CC_FP, format, ## args) +int validate_fp_buffer_offset(uint32_t buffer_size, uint32_t offset, + uint32_t size); + #endif /* __CROS_EC_FPSENSOR_PRIVATE_H */ |