camera: fix slab-out-of-bounds bug

The receive buffer size must be equivalent to or larger than the size of QMI encoded message. Test: kasan build. Bug: 161170480 Change-Id: I7903a748ccf9f1aecc4485a2860c0b7ffbf01ddc
author: timothywang <timothywang@google.com> 2020-07-22 19:39:50 +0800
committer: timothywang <timothywang@google.com> 2020-07-23 11:41:50 +0800
commit: 11eba8cd1f8f55a2b5672c18854f5cc5c382a45b (patch)
tree: f4a2a53b37f61bb4952b70f6bba00a56cf5cfab5
parent: b60439735f99d5bef6668081e911ab230e993d89 (diff)
download: camera-kernel-11eba8cd1f8f55a2b5672c18854f5cc5c382a45b.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h b/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h
index c755a35..d6283a6 100644
--- a/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h
+++ b/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h
@@ -30,7 +30,9 @@
 
 #define CAM_VSYNC_REQ_MSG_ID_V01         0x20
 #define CAM_VSYNC_RESP_MSG_ID_V01        0x20
-#define CAM_VSYNC_REQ_MAX_MSG_LEN_V01    520
+/** The recv_buf_size should be at least the size of the largest qmi msg used by the
+    client/service, which in this case, it's sns_client_report_ind_msg_v01. */
+#define CAM_VSYNC_REQ_MAX_MSG_LEN_V01    sizeof(struct sns_client_report_ind_msg_v01)
 
 /**   QMI Service ID for this Sensors Service  */
 #define SNS_CLIENT_SVC_ID_V01               400
author	timothywang <timothywang@google.com>	2020-07-22 19:39:50 +0800
committer	timothywang <timothywang@google.com>	2020-07-23 11:41:50 +0800
commit	11eba8cd1f8f55a2b5672c18854f5cc5c382a45b (patch)
tree	f4a2a53b37f61bb4952b70f6bba00a56cf5cfab5
parent	b60439735f99d5bef6668081e911ab230e993d89 (diff)
download	camera-kernel-11eba8cd1f8f55a2b5672c18854f5cc5c382a45b.tar.gz