Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 665d0595 authored by Hardik Arya's avatar Hardik Arya Committed by Gerrit - the friendly Code Review server
Browse files

diag: Add proper checks to fix possible out-of-bound issue 



Currently, there is a possibility of out-of-bound access while
processing data received from user space. The patch adds proper
checks for valid address.

CRs-Fixed: 2048536
Change-Id: I1e0fc7a9d69e69f3326429d5d9540dd3bb1a59b0
Signed-off-by: default avatarHardik Arya <harya@codeaurora.org>
parent bfd96c27

drivers/char/diag/diagchar_core.c

+19 −4
Original line number Diff line number Diff line
@@ -966,6 +966,11 @@ static int diag_send_raw_data_remote(int proc, void *buf, int len, 
	else

		hdlc_disabled = driver->hdlc_disabled;

	if (hdlc_disabled) {

		if (len < 4) {

			pr_err("diag: In %s, invalid len: %d of non_hdlc pkt",

			__func__, len);

			return -EBADMSG;

		}

		payload = *(uint16_t *)(buf + 2);

		if (payload > DIAG_MAX_HDLC_BUF_SIZE) {

			pr_err("diag: Dropping packet, payload size is %d\n",
@@ -974,11 +979,21 @@ static int diag_send_raw_data_remote(int proc, void *buf, int len, 
		}

		driver->hdlc_encode_buf_len = payload;

		/*

		 * Adding 4 bytes for start (1 byte), version (1 byte) and

		 * payload (2 bytes)

		 * Adding 5 bytes for start (1 byte), version (1 byte),

		 * payload (2 bytes) and end (1 byte)

		 */

		if (len == (payload + 5)) {

			/*

			 * Adding 4 bytes for start (1 byte), version (1 byte)

			 * and payload (2 bytes)

			 */

			memcpy(driver->hdlc_encode_buf, buf + 4, payload);

			goto send_data;

		} else {

			pr_err("diag: In %s, invalid len: %d of non_hdlc pkt",

			__func__, len);

			return -EBADMSG;

		}

	}



	if (hdlc_flag) {