Transaction: Add overflow protection to read_entries
Validates read_entries and read_buf_size to ensure
they don't exceed reasonable limits that could trigger overflow.
Adds explicit checks before the calculation to detect potential integer overflows.
Bug: 322327963
Test: CTS/PTS, GCA_SMOKE TEST
Change-Id: I1b2e99cc83cfd751d3a82e501dbd64ddfebd039f
Signed-off-by: Nick Chung <nickchung@google.com>
(cherry picked from commit e7a59eba1ba9c49d9500935907056fc69ce3a012)
diff --git a/lwis_transaction.c b/lwis_transaction.c
index 823de12..c6ccd42 100644
--- a/lwis_transaction.c
+++ b/lwis_transaction.c
@@ -888,6 +888,15 @@
/* Event response payload consists of header, and address and offset pairs. */
resp_size = sizeof(struct lwis_transaction_response_header) +
read_entries * sizeof(struct lwis_io_result) + read_buf_size;
+
+ if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) {
+ return -EOVERFLOW;
+ }
+
+ if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) -
+ read_entries * sizeof(struct lwis_io_result)) {
+ return -EOVERFLOW;
+ }
/*
* Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is
* because this function can be called by transaction_replace while