diff options
author | timothywang <timothywang@google.com> | 2020-07-22 19:39:50 +0800 |
---|---|---|
committer | timothywang <timothywang@google.com> | 2020-07-23 11:41:50 +0800 |
commit | 11eba8cd1f8f55a2b5672c18854f5cc5c382a45b (patch) | |
tree | f4a2a53b37f61bb4952b70f6bba00a56cf5cfab5 | |
parent | b60439735f99d5bef6668081e911ab230e993d89 (diff) | |
download | camera-kernel-11eba8cd1f8f55a2b5672c18854f5cc5c382a45b.tar.gz |
camera: fix slab-out-of-bounds bug
The receive buffer size must be equivalent to or larger than the size of
QMI encoded message.
Test: kasan build.
Bug: 161170480
Change-Id: I7903a748ccf9f1aecc4485a2860c0b7ffbf01ddc
-rw-r--r-- | drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h b/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h index c755a35..d6283a6 100644 --- a/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h +++ b/drivers/cam_sensor_module/cam_sensor_vsync/cam_sensor_vsync.h @@ -30,7 +30,9 @@ #define CAM_VSYNC_REQ_MSG_ID_V01 0x20 #define CAM_VSYNC_RESP_MSG_ID_V01 0x20 -#define CAM_VSYNC_REQ_MAX_MSG_LEN_V01 520 +/** The recv_buf_size should be at least the size of the largest qmi msg used by the + client/service, which in this case, it's sns_client_report_ind_msg_v01. */ +#define CAM_VSYNC_REQ_MAX_MSG_LEN_V01 sizeof(struct sns_client_report_ind_msg_v01) /** QMI Service ID for this Sensors Service */ #define SNS_CLIENT_SVC_ID_V01 400 |