diag: Check buffer size against command structure size (ae476f26) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/char/diag/diagfwd.c

+6 −3

Original line number	Original line	Diff line number	Diff line
	@@ -693,7 +693,8 @@ int diag_process_time_sync_query_cmd(unsigned char *src_buf, int src_len,
	struct diag_cmd_time_sync_query_req_t *req = NULL;		struct diag_cmd_time_sync_query_req_t *req = NULL;
	struct diag_cmd_time_sync_query_rsp_t rsp;		struct diag_cmd_time_sync_query_rsp_t rsp;

	if (!src_buf \|\| !dest_buf \|\| src_len <= 0 \|\| dest_len <= 0) {		if (!src_buf \|\| !dest_buf \|\| src_len <= 0 \|\| dest_len <= 0 \|\|
			src_len < sizeof(struct diag_cmd_time_sync_query_req_t)) {
	pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d\n",		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d\n",
	__func__, src_buf, src_len, dest_buf, dest_len);		__func__, src_buf, src_len, dest_buf, dest_len);
	return -EINVAL;		return -EINVAL;
	@@ -723,7 +724,8 @@ int diag_process_diag_id_query_cmd(unsigned char *src_buf, int src_len,
	int num_entries = 0;		int num_entries = 0;
	uint8_t process_name_len = 0;		uint8_t process_name_len = 0;

	if (!src_buf \|\| !dest_buf \|\| src_len <= 0 \|\| dest_len <= 0) {		if (!src_buf \|\| !dest_buf \|\| src_len <= 0 \|\| dest_len <= 0 \|\|
			src_len < sizeof(struct diag_cmd_diag_id_query_req_t)) {
	pr_err("diag: Invalid input in %s, src_buf:%pK, src_len:%d, dest_buf:%pK, dest_len:%d\n",		pr_err("diag: Invalid input in %s, src_buf:%pK, src_len:%d, dest_buf:%pK, dest_len:%d\n",
	__func__, src_buf, src_len, dest_buf, dest_len);		__func__, src_buf, src_len, dest_buf, dest_len);
	return -EINVAL;		return -EINVAL;
	@@ -769,7 +771,8 @@ int diag_process_time_sync_switch_cmd(unsigned char *src_buf, int src_len,
	int msg_size = sizeof(struct diag_ctrl_msg_time_sync);		int msg_size = sizeof(struct diag_ctrl_msg_time_sync);
	int err = 0, write_len = 0;		int err = 0, write_len = 0;

	if (!src_buf \|\| !dest_buf \|\| src_len <= 0 \|\| dest_len <= 0) {		if (!src_buf \|\| !dest_buf \|\| src_len <= 0 \|\| dest_len <= 0 \|\|
			src_len < sizeof(struct diag_cmd_time_sync_switch_req_t)) {
	pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d\n",		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d\n",
	__func__, src_buf, src_len, dest_buf, dest_len);		__func__, src_buf, src_len, dest_buf, dest_len);
	return -EINVAL;		return -EINVAL;