ir: fix allocation of memory without size check issue [1/1]

PD#SWPL-11248

Problem:
When handling the set attribute IOCTL REMOTE_IOC_SET_KEY_NUMBER, the driver
does not limit the size of allocation with kzalloc.

Solution:
Limit the size of alllcation range, if given a value out of range, set
update flag to false and do nothing in kzalloc stage.

Verify:
W400

Change-Id: I6a4150f5615557c372738c918aad86120d149340
Signed-off-by: Qianggui Song <qianggui.song@amlogic.com>

diff --git a/drivers/amlogic/input/remote/remote_cdev.c b/drivers/amlogic/input/remote/remote_cdev.c
index ea996e3..6705b64 100644 (file)
--- a/drivers/amlogic/input/remote/remote_cdev.c
+++ b/drivers/amlogic/input/remote/remote_cdev.c
@@ -72,6 +72,13 @@ static long remote_ioctl(struct file *file, unsigned int cmd,
                        retval = -EFAULT;
                        goto err;
                }
+
+               if (value < 1 || value > MAX_KEYMAP_SIZE) {
+                       chip->key_num.update_flag = false;
+                       retval = -EINVAL;
+                       goto err;
+               }
+
                chip->key_num.update_flag = true;
                chip->key_num.value = value;
                break;