diag: Prevent out-of-bound access while processing non-hdlc pkt (5b9bc8cf) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/char/diag/diagfwd.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -1745,7 +1745,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid)
		if ((uint8_t )(data_ptr + actual_pkt->length) !=
		CONTROL_CHAR) {
		mutex_unlock(&driver->hdlc_recovery_mutex);
		diag_hdlc_start_recovery(buf, len, pid);
		diag_hdlc_start_recovery(buf, (len - read_bytes), pid);
		mutex_lock(&driver->hdlc_recovery_mutex);
		}
		err = diag_process_apps_pkt(data_ptr,
		@@ -1771,8 +1771,8 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid)
		pkt_len = actual_pkt->length;

		if (actual_pkt->start != CONTROL_CHAR) {
		diag_hdlc_start_recovery(buf, len, pid);
		diag_send_error_rsp(buf, len, pid);
		diag_hdlc_start_recovery(buf, (len - read_bytes), pid);
		diag_send_error_rsp(buf, (len - read_bytes), pid);
		goto end;
		}
		mutex_lock(&driver->hdlc_recovery_mutex);
		@@ -1780,7 +1780,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid)
		pr_err("diag: In %s, incoming data is too large for the request buffer %d\n",
		__func__, pkt_len);
		mutex_unlock(&driver->hdlc_recovery_mutex);
		diag_hdlc_start_recovery(buf, len, pid);
		diag_hdlc_start_recovery(buf, (len - read_bytes), pid);
		break;
		}
		if ((pkt_len + header_len) > (len - read_bytes)) {
		@@ -1797,7 +1797,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid)
		if ((uint8_t )(data_ptr + actual_pkt->length) !=
		CONTROL_CHAR) {
		mutex_unlock(&driver->hdlc_recovery_mutex);
		diag_hdlc_start_recovery(buf, len, pid);
		diag_hdlc_start_recovery(buf, (len - read_bytes), pid);
		mutex_lock(&driver->hdlc_recovery_mutex);
		}
		else