Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6cecd4f authored by Manoj Prabhu B's avatar Manoj Prabhu B
Browse files

diag: Sanitize non-hdlc pkt length against buffer capacity 



Avoid possible out of bound access by sanitizing the non-hdlc
packet length against the buffer capacity.

Change-Id: Ic54c30fd9c6b2985241387760580613267be2654
Signed-off-by: default avatarManoj Prabhu B <quic_bmanoj@quicinc.com>
parent e904060a

drivers/char/diag/diagfwd.c

+11 −0
Original line number Diff line number Diff line
@@ -1824,6 +1824,12 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid) 
	if (partial_pkt->remaining == 0) {

		actual_pkt = (struct diag_pkt_frame_t *)(partial_pkt->data);

		data_ptr = partial_pkt->data + header_len;

		if ((header_len + actual_pkt->length + 1) >

				partial_pkt->capacity) {

			mutex_unlock(&driver->hdlc_recovery_mutex);

			return;

		}



		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=

						CONTROL_CHAR) {

			mutex_unlock(&driver->hdlc_recovery_mutex);
@@ -1875,6 +1881,11 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid) 
			mutex_unlock(&driver->hdlc_recovery_mutex);

			break;

		}

		if ((header_len + actual_pkt->length + 1) >

				partial_pkt->capacity) {

			mutex_unlock(&driver->hdlc_recovery_mutex);

			break;

		}

		data_ptr = buf + header_len;

		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=

						CONTROL_CHAR) {