ANDROID: usb: gadget: f_mtp: Return error if count is negative

If the user passes in a negative file size in a int64, this will compare to be smaller than buffer length, and it will get truncated to form a read length that is larger than the buffer length. To fix, return -EINVAL if the count argument is negative, so the loop will never happen. Bug: 37429972 Test: Test with PoC Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4 Signed-off-by: Jerry Zhang <[email protected]> Signed-off-by: Francisco Franco <[email protected]>
franciscofranco · May 11, 2018 · 0ec79e8 · 0ec79e8
1 parent 9eaf56f
commit 0ec79e8
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/drivers/usb/gadget/f_mtp.c b/drivers/usb/gadget/f_mtp.c
@@ -753,6 +753,11 @@ static void send_file_work(struct work_struct *data)
 	offset = dev->xfer_file_offset;
 	count = dev->xfer_file_length;
 
+	if (count < 0) {
+		dev->xfer_result = -EINVAL;
+		return;
+	}
+
 	DBG(cdev, "send_file_work(%lld %lld)\n", offset, count);
 
 	if (dev->xfer_send_header) {
@@ -855,6 +860,11 @@ static void receive_file_work(struct work_struct *data)
 	offset = dev->xfer_file_offset;
 	count = dev->xfer_file_length;
 
+	if (count < 0) {
+		dev->xfer_result = -EINVAL;
+		return;
+	}
+
 	DBG(cdev, "receive_file_work(%lld)\n", count);
 
 	while (count > 0 || write_req) {