diff options
author | Tommy Kardach <thomaskardach@google.com> | 2024-02-20 10:26:26 -0800 |
---|---|---|
committer | Tommy Kardach <thomaskardach@google.com> | 2024-02-21 22:38:30 +0000 |
commit | 9b7b652ae894f85b18b26e7267e4af3291f5e20e (patch) | |
tree | d820b7e999b707ac3ccf0b822c43fa17402773f6 | |
parent | c625d4e75c070097fb74d93e3f577b160f7367d7 (diff) | |
download | lwis-9b7b652ae894f85b18b26e7267e4af3291f5e20e.tar.gz |
Check for integer overflow in prepare_response
Bug: 322483069
Test: gca_smoke
Change-Id: If6468d36c76499b23ecf6cd4c9c893a69259c811
Signed-off-by: Tommy Kardach <thomaskardach@google.com>
(cherry picked from commit 9ad0d2c3fde8c542bf7f9125f084498c2dafa53c)
-rw-r--r-- | lwis_periodic_io.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lwis_periodic_io.c b/lwis_periodic_io.c index 22800c8..36af3e0 100644 --- a/lwis_periodic_io.c +++ b/lwis_periodic_io.c @@ -388,9 +388,17 @@ static int prepare_response(struct lwis_client *client, struct lwis_periodic_io for (i = 0; i < info->num_io_entries; ++i) { struct lwis_io_entry *entry = &info->io_entries[i]; if (entry->type == LWIS_IO_ENTRY_READ) { + /* Check for size_t overflow. */ + if (read_buf_size + reg_value_bytewidth < read_buf_size) { + return -EOVERFLOW; + } read_buf_size += reg_value_bytewidth; read_entries++; } else if (entry->type == LWIS_IO_ENTRY_READ_BATCH) { + /* Check for size_t overflow when adding user defined size_in_bytes. */ + if (read_buf_size + entry->rw_batch.size_in_bytes < read_buf_size) { + return -EOVERFLOW; + } read_buf_size += entry->rw_batch.size_in_bytes; read_entries++; } |