Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 360f8047 authored by Lakshay Verma's avatar Lakshay Verma
Browse files

diag: Prevent out-of-bound read while processing peripheral ctrl_pkt 



There is a possibility of out-of-bound access while processing control
packet received from peripheral due to missing buffer length check.
The patch adds proper check to fix the same.

Change-Id: I6793a47ca21c6e0ba52863a350decb90feb81a88
Signed-off-by: default avatarLakshay Verma <laksverm@codeaurora.org>
parent f0d0d92d

drivers/char/diag/diagfwd_cntl.c

+3 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2011-2019, The Linux Foundation. All rights reserved.

/* Copyright (c) 2011-2020, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -886,6 +886,8 @@ void diag_cntl_process_read_data(struct diagfwd_info *p_info, void *buf, 


	while (read_len + header_len < len) {

		ctrl_pkt = (struct diag_ctrl_pkt_header_t *)ptr;

		if ((read_len + header_len + ctrl_pkt->len) > len)

			return;

		switch (ctrl_pkt->pkt_id) {

		case DIAG_CTRL_MSG_REG:

			process_command_registration(ptr, ctrl_pkt->len,