msm: ipa3: Fix to prevent Integer Overflow

The value of `req->filter_spec_ex2_list_len`
is user input via ioctl and it's type is uint32,
so an integer overflow may occur. Which can result
in out of bound access in the following loop. Now
add changes to prevent Integer overflow.

Change-Id: Ia29b9ddc674e5dd3d5baf6623cf0a464c156d8f7
Signed-off-by: Piyush Dhyani <[email protected]>

drivers/platform/msm/ipa/ipa_v3/ipa_qmi_service.c

@@ -1021,7 +1021,10 @@ int ipa3_qmi_add_offload_request_send(
 	}
 
 	/* check if the filter rules from IPACM is valid */
-	if (req->filter_spec_ex2_list_len == 0) {
+	if (req->filter_spec_ex2_list_len < 0) {
+		IPAWANERR("IPACM pass invalid num of rules\n");
+		return -EINVAL;
+	} else if (req->filter_spec_ex2_list_len == 0) {
 		IPAWANDBG("IPACM pass zero rules to Q6\n");
 	} else {
 		IPAWANDBG("IPACM pass %u rules to Q6\n",
@@ -1029,9 +1032,10 @@ int ipa3_qmi_add_offload_request_send(
 	}
 
 	/* currently set total max to 64 */
-	if (req->filter_spec_ex2_list_len +
-		ipa3_qmi_ctx->num_ipa_offload_connection
-		>= QMI_IPA_MAX_FILTERS_V01) {
+	if ((ipa3_qmi_ctx->num_ipa_offload_connection < 0) ||
+		(req->filter_spec_ex2_list_len >=
+		(QMI_IPA_MAX_FILTERS_V01 -
+			ipa3_qmi_ctx->num_ipa_offload_connection))) {
 		IPAWANDBG(
 		"cur(%d), req(%d), exceed limit (%d)\n",
 			ipa3_qmi_ctx->num_ipa_offload_connection,