diff options
author | Manoj Prabhu B <bmanoj@codeaurora.org> | 2019-04-18 16:49:49 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-04-26 22:44:17 -0700 |
commit | c1cd71e6ee5ed9aaec8fc1cecea3f7a12676c977 (patch) | |
tree | 621bf7a625f526035bce08d37936d79b7c87876f | |
parent | ef08a221c5315aec3cbcf351b591b5f4352bc901 (diff) |
diag: dci: Validate dci response length before parsing
Prevent possible out of bound access due to missing length check
while extracting dci packet response by adding proper checks.
CRs-Fixed: 2434571
Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
-rw-r--r-- | drivers/char/diag/diag_dci.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c index e043b08a3467..8d5f505e4e34 100644 --- a/drivers/char/diag/diag_dci.c +++ b/drivers/char/diag/diag_dci.c @@ -984,7 +984,7 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, int save_req_uid = 0; struct diag_dci_pkt_rsp_header_t pkt_rsp_header; - if (!buf) { + if (!buf || len <= 0) { pr_err("diag: Invalid pointer in %s\n", __func__); return; } @@ -998,6 +998,8 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, dci_cmd_code); return; } + if (len < (cmd_code_len + sizeof(int))) + return; temp += cmd_code_len; tag = *(int *)temp; temp += sizeof(int); @@ -1006,10 +1008,16 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, * The size of the response is (total length) - (length of the command * code, the tag (int) */ - rsp_len = len - (cmd_code_len + sizeof(int)); - if ((rsp_len == 0) || (rsp_len > (len - 5))) { - pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d", - __func__, len, rsp_len); + if (len >= cmd_code_len + sizeof(int)) { + rsp_len = len - (cmd_code_len + sizeof(int)); + if ((rsp_len == 0) || (rsp_len > (len - 5))) { + pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n", + __func__, len, rsp_len); + return; + } + } else { + pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n", + __func__, len); return; } |