greybus: operation: fix incoming request payload size

Fix the payload size of incoming requests, which should not include the
operation message-header size.

When creating requests we pass the sizes of request and response
payloads and greybus core allocates buffers and adds the required
headers. Specifically, the payload sizes do not include the
message-header size.

This is currently not the case for incoming requests however, something
which prevents protocol drivers from implementing appropriate input
verification and could lead to random data being treated as a valid
message in case of a short request.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index cb0c87aa4f98..8e37d144c89f 100644
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -567,9 +567,13 @@ EXPORT_SYMBOL_GPL(gb_operation_create);
 
 static struct gb_operation *
 gb_operation_create_incoming(struct gb_connection *connection, u16 id,
-				u8 type, void *data, size_t request_size)
+				u8 type, void *data, size_t size)
 {
 	struct gb_operation *operation;
+	size_t request_size;
+
+	/* Caller has made sure we at least have a message header. */
+	request_size = size - sizeof(struct gb_operation_msg_hdr);
 
 	operation = gb_operation_create_common(connection,
 					GB_OPERATION_TYPE_INVALID,
@@ -577,7 +581,7 @@ gb_operation_create_incoming(struct gb_connection *connection, u16 id,
 	if (operation) {
 		operation->id = id;
 		operation->type = type;
-		memcpy(operation->request->header, data, request_size);
+		memcpy(operation->request->header, data, size);
 	}
 
 	return operation;