Loading drivers/char/diag/diag_debugfs.c +8 −7 Original line number Diff line number Diff line Loading @@ -197,7 +197,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file, char __user *ubuf, size_t count, loff_t *ppos) { char *buf = NULL; int bytes_remaining, bytes_written = 0, bytes_in_buf = 0, i = 0; unsigned int bytes_remaining, bytes_written = 0; unsigned int bytes_in_buf = 0, i = 0; struct diag_dci_data_info *temp_data = dci_data_smd; int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count; Loading Loading @@ -353,9 +354,9 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, char *buf; int ret = 0; int i; int bytes_remaining; int bytes_in_buffer = 0; int bytes_written; unsigned int bytes_remaining; unsigned int bytes_in_buffer = 0; unsigned int bytes_written; int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count; if (diag_dbgfs_table_index >= diag_max_reg) { Loading Loading @@ -526,9 +527,9 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf, char *buf; int ret; int i; int bytes_remaining; int bytes_in_buffer = 0; int bytes_written; unsigned int bytes_remaining; unsigned int bytes_in_buffer = 0; unsigned int bytes_written; int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count; int bytes_hsic_inited = 45; int bytes_hsic_not_inited = 410; Loading drivers/char/diag/diagchar_core.c +13 −2 Original line number Diff line number Diff line Loading @@ -51,6 +51,7 @@ MODULE_DESCRIPTION("Diag Char Driver"); MODULE_LICENSE("GPL v2"); MODULE_VERSION("1.0"); #define MIN_SIZ_ALLOW 4 #define INIT 1 #define EXIT -1 struct diagchar_dev *driver; Loading Loading @@ -1479,6 +1480,10 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf, index = 0; /* Get the packet type F3/log/event/Pkt response */ err = copy_from_user((&pkt_type), buf, 4); if (err) { pr_alert("diag: copy failed for pkt_type\n"); return -EAGAIN; } /* First 4 bytes indicate the type of payload - ignore these */ if (count < 4) { pr_err("diag: Client sending short data\n"); Loading Loading @@ -1522,8 +1527,9 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf, return err; } if (pkt_type == CALLBACK_DATA_TYPE) { if (payload_size > driver->itemsize) { pr_err("diag: Dropping packet, packet payload size crosses 4KB limit. Current payload size %d\n", if (payload_size > driver->itemsize || payload_size <= MIN_SIZ_ALLOW) { pr_err("diag: Dropping packet, invalid packet size. Current payload size %d\n", payload_size); driver->dropped_count++; return -EBADMSG; Loading Loading @@ -1657,6 +1663,11 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf, diag_get_remote(*(int *)driver->user_space_data_buf); if (remote_proc) { if (payload_size <= MIN_SIZ_ALLOW) { pr_err("diag: Integer underflow in %s, payload size: %d", __func__, payload_size); return -EBADMSG; } token_offset = 4; payload_size -= 4; buf += 4; Loading drivers/char/diag/diagchar_hdlc.c +2 −2 Original line number Diff line number Diff line Loading @@ -177,8 +177,8 @@ int diag_hdlc_decode(struct diag_hdlc_decode_type *hdlc) int msg_start; if (hdlc && hdlc->src_ptr && hdlc->dest_ptr && (hdlc->src_size - hdlc->src_idx > 0) && (hdlc->dest_size - hdlc->dest_idx > 0)) { (hdlc->src_size > hdlc->src_idx) && (hdlc->dest_size > hdlc->dest_idx)) { msg_start = (hdlc->src_idx == 0) ? 1 : 0; Loading Loading
drivers/char/diag/diag_debugfs.c +8 −7 Original line number Diff line number Diff line Loading @@ -197,7 +197,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file, char __user *ubuf, size_t count, loff_t *ppos) { char *buf = NULL; int bytes_remaining, bytes_written = 0, bytes_in_buf = 0, i = 0; unsigned int bytes_remaining, bytes_written = 0; unsigned int bytes_in_buf = 0, i = 0; struct diag_dci_data_info *temp_data = dci_data_smd; int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count; Loading Loading @@ -353,9 +354,9 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, char *buf; int ret = 0; int i; int bytes_remaining; int bytes_in_buffer = 0; int bytes_written; unsigned int bytes_remaining; unsigned int bytes_in_buffer = 0; unsigned int bytes_written; int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count; if (diag_dbgfs_table_index >= diag_max_reg) { Loading Loading @@ -526,9 +527,9 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf, char *buf; int ret; int i; int bytes_remaining; int bytes_in_buffer = 0; int bytes_written; unsigned int bytes_remaining; unsigned int bytes_in_buffer = 0; unsigned int bytes_written; int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count; int bytes_hsic_inited = 45; int bytes_hsic_not_inited = 410; Loading
drivers/char/diag/diagchar_core.c +13 −2 Original line number Diff line number Diff line Loading @@ -51,6 +51,7 @@ MODULE_DESCRIPTION("Diag Char Driver"); MODULE_LICENSE("GPL v2"); MODULE_VERSION("1.0"); #define MIN_SIZ_ALLOW 4 #define INIT 1 #define EXIT -1 struct diagchar_dev *driver; Loading Loading @@ -1479,6 +1480,10 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf, index = 0; /* Get the packet type F3/log/event/Pkt response */ err = copy_from_user((&pkt_type), buf, 4); if (err) { pr_alert("diag: copy failed for pkt_type\n"); return -EAGAIN; } /* First 4 bytes indicate the type of payload - ignore these */ if (count < 4) { pr_err("diag: Client sending short data\n"); Loading Loading @@ -1522,8 +1527,9 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf, return err; } if (pkt_type == CALLBACK_DATA_TYPE) { if (payload_size > driver->itemsize) { pr_err("diag: Dropping packet, packet payload size crosses 4KB limit. Current payload size %d\n", if (payload_size > driver->itemsize || payload_size <= MIN_SIZ_ALLOW) { pr_err("diag: Dropping packet, invalid packet size. Current payload size %d\n", payload_size); driver->dropped_count++; return -EBADMSG; Loading Loading @@ -1657,6 +1663,11 @@ static ssize_t diagchar_write(struct file *file, const char __user *buf, diag_get_remote(*(int *)driver->user_space_data_buf); if (remote_proc) { if (payload_size <= MIN_SIZ_ALLOW) { pr_err("diag: Integer underflow in %s, payload size: %d", __func__, payload_size); return -EBADMSG; } token_offset = 4; payload_size -= 4; buf += 4; Loading
drivers/char/diag/diagchar_hdlc.c +2 −2 Original line number Diff line number Diff line Loading @@ -177,8 +177,8 @@ int diag_hdlc_decode(struct diag_hdlc_decode_type *hdlc) int msg_start; if (hdlc && hdlc->src_ptr && hdlc->dest_ptr && (hdlc->src_size - hdlc->src_idx > 0) && (hdlc->dest_size - hdlc->dest_idx > 0)) { (hdlc->src_size > hdlc->src_idx) && (hdlc->dest_size > hdlc->dest_idx)) { msg_start = (hdlc->src_idx == 0) ? 1 : 0; Loading
