From c1cd71e6ee5ed9aaec8fc1cecea3f7a12676c977 Mon Sep 17 00:00:00 2001 From: Manoj Prabhu B Date: Thu, 18 Apr 2019 16:49:49 +0530 Subject: diag: dci: Validate dci response length before parsing Prevent possible out of bound access due to missing length check while extracting dci packet response by adding proper checks. CRs-Fixed: 2434571 Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801 Signed-off-by: Manoj Prabhu B --- drivers/char/diag/diag_dci.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'drivers') diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c index e043b08a3467..8d5f505e4e34 100644 --- a/drivers/char/diag/diag_dci.c +++ b/drivers/char/diag/diag_dci.c @@ -984,7 +984,7 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, int save_req_uid = 0; struct diag_dci_pkt_rsp_header_t pkt_rsp_header; - if (!buf) { + if (!buf || len <= 0) { pr_err("diag: Invalid pointer in %s\n", __func__); return; } @@ -998,6 +998,8 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, dci_cmd_code); return; } + if (len < (cmd_code_len + sizeof(int))) + return; temp += cmd_code_len; tag = *(int *)temp; temp += sizeof(int); @@ -1006,10 +1008,16 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, * The size of the response is (total length) - (length of the command * code, the tag (int) */ - rsp_len = len - (cmd_code_len + sizeof(int)); - if ((rsp_len == 0) || (rsp_len > (len - 5))) { - pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d", - __func__, len, rsp_len); + if (len >= cmd_code_len + sizeof(int)) { + rsp_len = len - (cmd_code_len + sizeof(int)); + if ((rsp_len == 0) || (rsp_len > (len - 5))) { + pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n", + __func__, len, rsp_len); + return; + } + } else { + pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n", + __func__, len); return; } -- cgit v1.2.3