ANDROID: binder: re-order some conditions

It doesn't make any difference to runtime but I've switched these two checks to make my static checker happy. The problem is that "buffer->data_size" is user controlled and if it's less than "sizeo(*hdr)" then that means "offset" can be more than "buffer->data_size". It's just cleaner to check it in the other order. Signed-off-by: Dan Carpenter <[email protected]> Acked-by: Martijn Coenen <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
natale-p · Apr 23, 2018 · 361f2dd · 361f2dd
1 parent 6d08b06
commit 361f2dd
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
@@ -2058,8 +2058,8 @@ static size_t binder_validate_object(struct binder_buffer *buffer, u64 offset)
 	struct binder_object_header *hdr;
 	size_t object_size = 0;
 
-	if (offset > buffer->data_size - sizeof(*hdr) ||
-	    buffer->data_size < sizeof(*hdr) ||
+	if (buffer->data_size < sizeof(*hdr) ||
+	    offset > buffer->data_size - sizeof(*hdr) ||
 	    !IS_ALIGNED(offset, sizeof(u32)))
 		return 0;