diag: dci: Validate dci response length before parsing

Prevent possible out of bound access due to missing length check while extracting dci packet response by adding proper checks. CRs-Fixed: 2434571 Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801 Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
author: Manoj Prabhu B <bmanoj@codeaurora.org> 2019-04-18 16:49:49 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2019-04-26 22:44:17 -0700
commit: c1cd71e6ee5ed9aaec8fc1cecea3f7a12676c977 (patch)
tree: 621bf7a625f526035bce08d37936d79b7c87876f /drivers
parent: ef08a221c5315aec3cbcf351b591b5f4352bc901 (diff)
1 files changed, 13 insertions, 5 deletions
diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index e043b08a3467..8d5f505e4e34 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -984,7 +984,7 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source,
 	int save_req_uid = 0;
 	struct diag_dci_pkt_rsp_header_t pkt_rsp_header;
 
-	if (!buf) {
+	if (!buf || len <= 0) {
 		pr_err("diag: Invalid pointer in %s\n", __func__);
 		return;
 	}
@@ -998,6 +998,8 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source,
 								dci_cmd_code);
 		return;
 	}
+	if (len < (cmd_code_len + sizeof(int)))
+		return;
 	temp += cmd_code_len;
 	tag = *(int *)temp;
 	temp += sizeof(int);
@@ -1006,10 +1008,16 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source,
 	 * The size of the response is (total length) - (length of the command
 	 * code, the tag (int)
 	 */
-	rsp_len = len - (cmd_code_len + sizeof(int));
-	if ((rsp_len == 0) || (rsp_len > (len - 5))) {
-		pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d",
-						__func__, len, rsp_len);
+	if (len >= cmd_code_len + sizeof(int)) {
+		rsp_len = len - (cmd_code_len + sizeof(int));
+		if ((rsp_len == 0) || (rsp_len > (len - 5))) {
+			pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n",
+					__func__, len, rsp_len);
+			return;
+		}
+	} else {
+		pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n",
+			__func__, len);
 		return;
 	}
author	Manoj Prabhu B <bmanoj@codeaurora.org>	2019-04-18 16:49:49 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2019-04-26 22:44:17 -0700
commit	c1cd71e6ee5ed9aaec8fc1cecea3f7a12676c977 (patch)
tree	621bf7a625f526035bce08d37936d79b7c87876f /drivers
parent	ef08a221c5315aec3cbcf351b591b5f4352bc901 (diff)