From a480ed6e37d2dc2c7f56371365cdac7d5358b50c Mon Sep 17 00:00:00 2001
From: Prerna Kalla <prernak@codeaurora.org>
Date: Mon, 30 Mar 2020 17:31:07 +0530
Subject: [PATCH] crypto: msm: restrict value of num_fds to QCEDEV_MAX_BUFFERS

Set the max value of num_fds to QCEDEV_MAX_BUFFERS to prevent
out of bound access of fd, fd_size, fd_offset array.

Change-Id: I88889472a4bd14f786588bd2c9e06e69a98e94c9
Signed-off-by: Prerna Kalla <prernak@codeaurora.org>
---
 drivers/crypto/msm/qcedev.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
index 9c9d911b4cc7..aeb644f5ca16 100644
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c
@@ -1915,6 +1915,11 @@ static inline long qcedev_ioctl(struct file *file,
 				goto exit_free_qcedev_areq;
 			}
 
+			if (map_buf.num_fds > QCEDEV_MAX_BUFFERS) {
+				err = -EINVAL;
+				goto exit_free_qcedev_areq;
+			}
+
 			for (i = 0; i < map_buf.num_fds; i++) {
 				err = qcedev_check_and_map_buffer(handle,
 						map_buf.fd[i],