diag: dci: Add missing length check before parsing the buffer



Missing check against a structure is added to prevent possible
out of bound access while processing dci packet response.

CRs-Fixed: 2434612
Change-Id: I32c83dcc70bcf6465723be669d23e9f523e82755
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

parent 3d91e789

drivers/char/diag/diag_dci.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1949,7 +1949,9 @@ static int diag_process_dci_pkt_rsp(unsigned char *buf, int len)
		if (!buf)
		return -EIO;

		if (len <= sizeof(struct dci_pkt_req_t) \|\| len > DCI_REQ_BUF_SIZE) {
		if (len <= (sizeof(struct dci_pkt_req_t) +
		sizeof(struct diag_pkt_header_t)) \|\|
		len > DCI_REQ_BUF_SIZE) {
		pr_err("diag: dci: Invalid length %d len in %s\n",
		len, __func__);
		return -EIO;