Transaction: Add overflow protection to read_entries Validates read_entries and read_buf_size to ensure they don't exceed reasonable limits that could trigger overflow. Adds explicit checks before the calculation to detect potential integer overflows. Bug: 322327963 Test: CTS/PTS, GCA_SMOKE TEST Change-Id: I1b2e99cc83cfd751d3a82e501dbd64ddfebd039f Signed-off-by: Nick Chung <nickchung@google.com> (cherry picked from commit e7a59eba1ba9c49d9500935907056fc69ce3a012)

commit: 474c5e80e2c048df24570e7150a580a82e0439b8 [log] [tgz]
author: Nick Chung <nickchung@google.com> Sun Feb 25 11:47:02 2024 +0800
committer: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Tue Feb 27 18:39:48 2024 +0000
tree: 11790ca33f8aa91e3b2988db0c8c536367bfe6f1
parent: c9fbdbf0f5252007b0aa2ea6df36414520226597 [diff]
diff --git a/lwis_transaction.c b/lwis_transaction.c
index 823de12..c6ccd42 100644
--- a/lwis_transaction.c
+++ b/lwis_transaction.c

@@ -888,6 +888,15 @@
 	/* Event response payload consists of header, and address and offset pairs. */
 	resp_size = sizeof(struct lwis_transaction_response_header) +
 		    read_entries * sizeof(struct lwis_io_result) + read_buf_size;
+
+	if (read_entries > INT_MAX / sizeof(struct lwis_io_result)) {
+		return -EOVERFLOW;
+	}
+
+	if (read_buf_size > INT_MAX - sizeof(struct lwis_transaction_response_header) -
+				    read_entries * sizeof(struct lwis_io_result)) {
+		return -EOVERFLOW;
+	}
 	/*
 	 * Revisit the use of GFP_ATOMIC here. Reason for this to be atomic is
 	 * because this function can be called by transaction_replace while
commit	474c5e80e2c048df24570e7150a580a82e0439b8	[log] [tgz]
author	Nick Chung <nickchung@google.com>	Sun Feb 25 11:47:02 2024 +0800
committer	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Tue Feb 27 18:39:48 2024 +0000
tree	11790ca33f8aa91e3b2988db0c8c536367bfe6f1
parent	c9fbdbf0f5252007b0aa2ea6df36414520226597 [diff]