diff options
Diffstat (limited to 'drivers/s390/crypto/zcrypt_pcixcc.c')
-rw-r--r-- | drivers/s390/crypto/zcrypt_pcixcc.c | 32 |
1 files changed, 10 insertions, 22 deletions
diff --git a/drivers/s390/crypto/zcrypt_pcixcc.c b/drivers/s390/crypto/zcrypt_pcixcc.c index dd4737808e0..077b7d109fd 100644 --- a/drivers/s390/crypto/zcrypt_pcixcc.c +++ b/drivers/s390/crypto/zcrypt_pcixcc.c @@ -56,11 +56,6 @@ #define PCIXCC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */ #define PCIXCC_MAX_XCRB_MESSAGE_SIZE (12*1024) -#define PCIXCC_MAX_XCRB_RESPONSE_SIZE PCIXCC_MAX_XCRB_MESSAGE_SIZE -#define PCIXCC_MAX_XCRB_DATA_SIZE (11*1024) -#define PCIXCC_MAX_XCRB_REPLY_SIZE (5*1024) - -#define PCIXCC_MAX_RESPONSE_SIZE PCIXCC_MAX_XCRB_RESPONSE_SIZE #define PCIXCC_CLEANUP_TIME (15*HZ) @@ -265,7 +260,7 @@ static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_device *zdev, * @ap_msg: pointer to AP message * @xcRB: pointer to user input data * - * Returns 0 on success or -EFAULT. + * Returns 0 on success or -EFAULT, -EINVAL. */ struct type86_fmt2_msg { struct type86_hdr hdr; @@ -295,19 +290,12 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, CEIL4(xcRB->request_control_blk_length) + xcRB->request_data_length; if (ap_msg->length > PCIXCC_MAX_XCRB_MESSAGE_SIZE) - return -EFAULT; - if (CEIL4(xcRB->reply_control_blk_length) > PCIXCC_MAX_XCRB_REPLY_SIZE) - return -EFAULT; - if (CEIL4(xcRB->reply_data_length) > PCIXCC_MAX_XCRB_DATA_SIZE) - return -EFAULT; - replylen = CEIL4(xcRB->reply_control_blk_length) + - CEIL4(xcRB->reply_data_length) + - sizeof(struct type86_fmt2_msg); - if (replylen > PCIXCC_MAX_XCRB_RESPONSE_SIZE) { - xcRB->reply_control_blk_length = PCIXCC_MAX_XCRB_RESPONSE_SIZE - - (sizeof(struct type86_fmt2_msg) + - CEIL4(xcRB->reply_data_length)); - } + return -EINVAL; + replylen = sizeof(struct type86_fmt2_msg) + + CEIL4(xcRB->reply_control_blk_length) + + xcRB->reply_data_length; + if (replylen > PCIXCC_MAX_XCRB_MESSAGE_SIZE) + return -EINVAL; /* prepare type6 header */ msg->hdr = static_type6_hdrX; @@ -326,7 +314,7 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, return -EFAULT; if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) > xcRB->request_control_blk_length) - return -EFAULT; + return -EINVAL; function_code = ((unsigned char *)&msg->cprbx) + msg->cprbx.cprb_len; memcpy(msg->hdr.function_code, function_code, sizeof(msg->hdr.function_code)); @@ -678,7 +666,7 @@ static void zcrypt_pcixcc_receive(struct ap_device *ap_dev, break; case PCIXCC_RESPONSE_TYPE_XCRB: length = t86r->fmt2.offset2 + t86r->fmt2.count2; - length = min(PCIXCC_MAX_XCRB_RESPONSE_SIZE, length); + length = min(PCIXCC_MAX_XCRB_MESSAGE_SIZE, length); memcpy(msg->message, reply->message, length); break; default: @@ -1043,7 +1031,7 @@ static int zcrypt_pcixcc_probe(struct ap_device *ap_dev) struct zcrypt_device *zdev; int rc = 0; - zdev = zcrypt_device_alloc(PCIXCC_MAX_RESPONSE_SIZE); + zdev = zcrypt_device_alloc(PCIXCC_MAX_XCRB_MESSAGE_SIZE); if (!zdev) return -ENOMEM; zdev->ap_dev = ap_dev; |