Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6f18e31a authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "diag: dci: Validate dci response length before parsing"

parents 260f199f e13539fd

drivers/char/diag/diag_dci.c

+13 −5
Original line number Diff line number Diff line
@@ -984,7 +984,7 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, 
	int save_req_uid = 0;

	struct diag_dci_pkt_rsp_header_t pkt_rsp_header;



	if (!buf) {

	if (!buf || len <= 0) {

		pr_err("diag: Invalid pointer in %s\n", __func__);

		return;

	}
@@ -998,6 +998,8 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, 
								dci_cmd_code);

		return;

	}

	if (len < (cmd_code_len + sizeof(int)))

		return;

	temp += cmd_code_len;

	tag = *(int *)temp;

	temp += sizeof(int);
@@ -1006,12 +1008,18 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, 
	 * The size of the response is (total length) - (length of the command

	 * code, the tag (int)

	 */

	if (len >= cmd_code_len + sizeof(int)) {

		rsp_len = len - (cmd_code_len + sizeof(int));

		if ((rsp_len == 0) || (rsp_len > (len - 5))) {

		pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d",

			pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n",

					__func__, len, rsp_len);

			return;

		}

	} else {

		pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n",

			__func__, len);

		return;

	}



	mutex_lock(&driver->dci_mutex);

	req_entry = diag_dci_get_request_entry(tag);