diag: Prevent out-of-bound access while processing dci transaction (7428f3c8) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/char/diag/diag_dci.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -2083,9 +2083,9 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
		uint8_t *event_mask_ptr;
		struct diag_dci_client_tbl *dci_entry = NULL;

		if (!temp) {
		pr_err("diag: Invalid buffer in %s\n", __func__);
		return -ENOMEM;
		if (!temp \|\| len < sizeof(int)) {
		pr_err("diag: Invalid input in %s\n", __func__);
		return -EINVAL;
		}

		/* This is Pkt request/response transaction */
		@@ -2141,7 +2141,7 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
		count = 0; /* iterator for extracting log codes */

		while (count < num_codes) {
		if (read_len >= USER_SPACE_DATA) {
		if (read_len + sizeof(uint16_t) > len) {
		pr_err("diag: dci: Invalid length for log type in %s\n",
		__func__);
		mutex_unlock(&driver->dci_mutex);
		@@ -2255,7 +2255,7 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
		pr_debug("diag: head of dci event mask %pK\n", event_mask_ptr);
		count = 0; /* iterator for extracting log codes */
		while (count < num_codes) {
		if (read_len >= USER_SPACE_DATA) {
		if (read_len + sizeof(int) > len) {
		pr_err("diag: dci: Invalid length for event type in %s\n",
		__func__);
		mutex_unlock(&driver->dci_mutex);

+1 −1

Original line number	Diff line number	Diff line
		@@ -18,7 +18,7 @@
		#define DISABLE_LOG_MASK 0
		#define MAX_EVENT_SIZE 512
		#define DCI_CLIENT_INDEX_INVALID -1
		#define DCI_LOG_CON_MIN_LEN 14
		#define DCI_LOG_CON_MIN_LEN 16
		#define DCI_EVENT_CON_MIN_LEN 16

		#define EXT_HDR_LEN 8