diag : Safeguard for bound checks and integer underflow

		driver->real_time_mode);

#ifdef CONFIG_DIAG_OVER_USB

	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,

	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,

		"usb_connected: %d\n",

		driver->usb_connected);

#endif

				char __user *ubuf, size_t count, loff_t *ppos)

{

	char *buf = NULL;

	int bytes_remaining, bytes_written = 0, bytes_in_buf = 0, i = 0;

	unsigned int bytes_remaining, bytes_written = 0;

	unsigned int bytes_in_buf = 0, i = 0;

	struct diag_dci_data_info *temp_data = dci_data_smd;

	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;

						diag_notify_update_smd_work)));

#ifdef CONFIG_DIAG_OVER_USB

	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,

	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,

		"diag_proc_hdlc_work: %d\n"

		"diag_read_work: %d\n",

		work_pending(&(driver->diag_proc_hdlc_work)),

	char *buf;

	int ret = 0;

	int i;

	int bytes_remaining;

	int bytes_in_buffer = 0;

	int bytes_written;

	unsigned int bytes_remaining;

	unsigned int bytes_in_buffer = 0;

	unsigned int bytes_written;

	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;

	if (diag_dbgfs_table_index >= diag_max_reg) {

	char *buf;

	int ret;

	int i;

	int bytes_remaining;

	int bytes_in_buffer = 0;

	int bytes_written;

	unsigned int bytes_remaining;

	unsigned int bytes_in_buffer = 0;

	unsigned int bytes_written;

	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;

	int bytes_hsic_inited = 45;

	int bytes_hsic_not_inited = 410;

MODULE_LICENSE("GPL v2");

MODULE_VERSION("1.0");

#define MIN_SIZ_ALLOW 4

#define INIT	1

#define EXIT	-1

struct diagchar_dev *driver;

	index = 0;

	/* Get the packet type F3/log/event/Pkt response */

	err = copy_from_user((&pkt_type), buf, 4);

	if (err) {

		pr_alert("diag: copy failed for pkt_type\n");

		return -EAGAIN;

	}

	/* First 4 bytes indicate the type of payload - ignore these */

	if (count < 4) {

		pr_err("diag: Client sending short data\n");

		return err;

	}

	if (pkt_type == CALLBACK_DATA_TYPE) {

		if (payload_size > driver->itemsize) {

			pr_err("diag: Dropping packet, packet payload size crosses 4KB limit. Current payload size %d\n",

		if (payload_size > itemsize || payload_size <= MIN_SIZ_ALLOW) {

			pr_err("diag: Dropping packet, invalid packet size. Current payload size %d\n",

				payload_size);

			driver->dropped_count++;

			return -EBADMSG;

			return -EIO;

		}

		/* Check for proc_type */

		remote_proc =

			diag_get_remote(*(int *)driver->user_space_data_buf);

		remote_proc = diag_get_remote(*(int *)user_space_data);

		if (remote_proc) {

			if (payload_size <= MIN_SIZ_ALLOW) {

				pr_err("diag: Integer underflow in %s, payload size: %d",

							__func__, payload_size);

				diagmem_free(driver, user_space_data,

								POOL_TYPE_USER);

				user_space_data = NULL;

				return -EBADMSG;

			}

			token_offset = 4;

			payload_size -= 4;

			buf += 4;

	int msg_start;

	if (hdlc && hdlc->src_ptr && hdlc->dest_ptr &&

	    (hdlc->src_size - hdlc->src_idx > 0) &&

	    (hdlc->dest_size - hdlc->dest_idx > 0)) {

	    (hdlc->src_size > hdlc->src_idx) &&

	    (hdlc->dest_size > hdlc->dest_idx)) {

		msg_start = (hdlc->src_idx == 0) ? 1 : 0;