If *pos or *pos + count is greater than v_len, It will read beyond
the stream_buf buffer. This patch add the check and cut down count with
size of the buffer.
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
if ((int)v_len <= 0)
return (int)v_len;
+ if (v_len <= *pos) {
+ count = -EINVAL;
+ goto free_buf;
+ }
+
+ if (v_len - *pos < count)
+ count = v_len - *pos;
+
memcpy(buf, &stream_buf[*pos], count);
+
+free_buf:
kvfree(stream_buf);
- return v_len > count ? count : v_len;
+ return count;
}
/**