qcedev: check num_fds during unmap

check the num_fds passed into unmap buf ioctl,
or else it can lead to an out of bounds access.

Change-Id: Ief209a60a6b7dc1ea4be485eaf5cf51d2955a980
Signed-off-by: Gaurav Kashyap <[email protected]>

crypto-qti/qcedev.c

@@ -2415,7 +2415,9 @@ long qcedev_ioctl(struct file *file,
 				goto exit_free_qcedev_areq;
 			}
 
-			if (map_buf.num_fds > QCEDEV_MAX_BUFFERS) {
+			if (map_buf.num_fds > ARRAY_SIZE(map_buf.fd)) {
+				pr_err("%s: err: num_fds = %d exceeds max value\n",
+							__func__, map_buf.num_fds);
 				err = -EINVAL;
 				goto exit_free_qcedev_areq;
 			}
@@ -2455,6 +2457,12 @@ long qcedev_ioctl(struct file *file,
 				err = -EFAULT;
 				goto exit_free_qcedev_areq;
 			}
+			if (unmap_buf.num_fds > ARRAY_SIZE(unmap_buf.fd)) {
+				pr_err("%s: err: num_fds = %d exceeds max value\n",
+							__func__, unmap_buf.num_fds);
+				err = -EINVAL;
+				goto exit_free_qcedev_areq;
+			}
 
 			for (i = 0; i < unmap_buf.num_fds; i++) {
 				err = qcedev_check_and_unmap_buffer(handle,