Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 58b2ea36 authored by Hardik Arya's avatar Hardik Arya Committed by Gerrit - the friendly Code Review server
Browse files

diag: Validate query dci event and log mask size properly 



Currently there is possibility of out-of-bound read due to
incorrect validation of received dci event and log mask for
query. The patch update the validation for the same.

Change-Id: I4266eb0f69fdbfa48c5aacc17744dec83995e9e6
Signed-off-by: default avatarHardik Arya <harya@codeaurora.org>
parent 81043330

drivers/char/diag/diag_dci.c

+2 −2
Original line number Diff line number Diff line
@@ -657,7 +657,7 @@ int diag_dci_query_log_mask(struct diag_dci_client_tbl *entry, 
	byte_mask = 0x01 << (item_num % 8);

	offset = equip_id * 514;



	if (offset + byte_index > DCI_LOG_MASK_SIZE) {

	if (offset + byte_index >= DCI_LOG_MASK_SIZE) {

		pr_err("diag: In %s, invalid offset: %d, log_code: %d, byte_index: %d\n",

				__func__, offset, log_code, byte_index);

		return 0;
@@ -684,7 +684,7 @@ int diag_dci_query_event_mask(struct diag_dci_client_tbl *entry, 
	bit_index = event_id % 8;

	byte_mask = 0x1 << bit_index;



	if (byte_index > DCI_EVENT_MASK_SIZE) {

	if (byte_index >= DCI_EVENT_MASK_SIZE) {

		pr_err("diag: In %s, invalid, event_id: %d, byte_index: %d\n",

				__func__, event_id, byte_index);

		return 0;