Add check in nvmem_device_{read,write}()to ensure that nvmem core never
passes an invalid number of bytes.
Signed-off-by: Biju Das <biju.das@xxxxxxxxxxxxxx>
---
V3-->V4
* New patch.
---
drivers/nvmem/core.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index d9fd110..db7de33 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -1433,10 +1433,21 @@ int nvmem_device_read(struct nvmem_device *nvmem,
size_t bytes, void *buf)
{
int rc;
+ size_t new_bytes;
if (!nvmem)
return -EINVAL;
+ /* Stop the user from reading */
+ if ((offset >= nvmem->size) || (bytes == 0))
+ return 0;
+
+ if (unlikely(check_add_overflow(bytes, offset, &new_bytes)))
+ return -EOVERFLOW;
+
+ if (new_bytes > nvmem->size)
+ bytes = nvmem->size - offset;
+
rc = nvmem_reg_read(nvmem, offset, buf, bytes);
if (rc)
@@ -1461,16 +1472,29 @@ int nvmem_device_write(struct nvmem_device *nvmem,
size_t bytes, void *buf)
{
int rc;
+ size_t new_bytes;
if (!nvmem)
return -EINVAL;
+ /* Stop the user from writing */
+ if (offset >= nvmem->size)
+ return -ENOSPC;
+
+ if (bytes == 0)
+ return 0;
+
+ if (unlikely(check_add_overflow(bytes, offset, &new_bytes)))
+ return -EOVERFLOW;
+
+ if (new_bytes > nvmem->size)
+ bytes = nvmem->size - offset;
+
rc = nvmem_reg_write(nvmem, offset, buf, bytes);
if (rc)
return rc;
-
return bytes;
}
EXPORT_SYMBOL_GPL(nvmem_device_write);
--
2.7.4
