From 066f950c65c206c1a1a2f72f2c80134177ea3999 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 24 Feb 2016 16:11:49 +0100
Subject: [PATCH] greybus: uart: add max-payload sanity check

Let's be well behaved and add a sanity check on the maximum greybus
payload size to avoid underflow on the calculated buffer size.

Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---
 drivers/staging/greybus/uart.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c
index 52cc9d5..60617cb 100644
--- a/drivers/staging/greybus/uart.c
+++ b/drivers/staging/greybus/uart.c
@@ -587,6 +587,7 @@ static void gb_tty_exit(void);
 
 static int gb_uart_connection_init(struct gb_connection *connection)
 {
+	size_t max_payload;
 	struct gb_tty *gb_tty;
 	struct device *tty_dev;
 	int retval;
@@ -607,8 +608,13 @@ static int gb_uart_connection_init(struct gb_connection *connection)
 		goto error_alloc;
 	}
 
-	gb_tty->buffer_payload_max =
-		gb_operation_get_payload_size_max(connection) -
+	max_payload = gb_operation_get_payload_size_max(connection);
+	if (max_payload < sizeof(struct gb_uart_send_data_request)) {
+		retval = -EINVAL;
+		goto error_payload;
+	}
+
+	gb_tty->buffer_payload_max = max_payload -
 			sizeof(struct gb_uart_send_data_request);
 
 	gb_tty->buffer = kzalloc(gb_tty->buffer_payload_max, GFP_KERNEL);
-- 
2.7.4