Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e13539fd authored by Manoj Prabhu B's avatar Manoj Prabhu B
Browse files

diag: dci: Validate dci response length before parsing 



Prevent possible out of bound access due to missing length check
while extracting dci packet response by adding proper checks.

CRs-Fixed: 2434571
Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801
Signed-off-by: default avatarManoj Prabhu B <bmanoj@codeaurora.org>
parent 1f169742

drivers/char/diag/diag_dci.c

+13 −5
Original line number Diff line number Diff line
@@ -984,7 +984,7 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, 
	int save_req_uid = 0;

	struct diag_dci_pkt_rsp_header_t pkt_rsp_header;



	if (!buf) {

	if (!buf || len <= 0) {

		pr_err("diag: Invalid pointer in %s\n", __func__);

		return;

	}
@@ -998,6 +998,8 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, 
								dci_cmd_code);

		return;

	}

	if (len < (cmd_code_len + sizeof(int)))

		return;

	temp += cmd_code_len;

	tag = *(int *)temp;

	temp += sizeof(int);
@@ -1006,12 +1008,18 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source, 
	 * The size of the response is (total length) - (length of the command

	 * code, the tag (int)

	 */

	if (len >= cmd_code_len + sizeof(int)) {

		rsp_len = len - (cmd_code_len + sizeof(int));

		if ((rsp_len == 0) || (rsp_len > (len - 5))) {

		pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d",

			pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n",

					__func__, len, rsp_len);

			return;

		}

	} else {

		pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n",

			__func__, len);

		return;

	}



	mutex_lock(&driver->dci_mutex);

	req_entry = diag_dci_get_request_entry(tag);