evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "diag: Add proper checks to fix possible out-of-bound issue"

Browse source
This commit is contained in:
Linux Build Service Account 2017-07-07 08:31:56 -07:00 committed by Gerrit - the friendly Code Review server
commit 478a7073f5
1 changed files with 19 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
drivers/char/diag/diagchar_core.c
View file

@ -1020,6 +1020,11 @@ static int diag_send_raw_data_remote(int proc, void *buf, int len,
else else
hdlc_disabled = driver->hdlc_disabled; hdlc_disabled = driver->hdlc_disabled;
if (hdlc_disabled) { if (hdlc_disabled) {
if (len < 4) {
pr_err("diag: In %s, invalid len: %d of non_hdlc pkt",
__func__, len);
return -EBADMSG;
}
payload = *(uint16_t *)(buf + 2); payload = *(uint16_t *)(buf + 2);
if (payload > DIAG_MAX_HDLC_BUF_SIZE) { if (payload > DIAG_MAX_HDLC_BUF_SIZE) {
pr_err("diag: Dropping packet, payload size is %d\n", pr_err("diag: Dropping packet, payload size is %d\n",
@ -1028,11 +1033,21 @@ static int diag_send_raw_data_remote(int proc, void *buf, int len,
} }
driver->hdlc_encode_buf_len = payload; driver->hdlc_encode_buf_len = payload;
/* /*
* Adding 4 bytes for start (1 byte), version (1 byte) and * Adding 5 bytes for start (1 byte), version (1 byte),
* payload (2 bytes) * payload (2 bytes) and end (1 byte)
*/ */
memcpy(driver->hdlc_encode_buf, buf + 4, payload); if (len == (payload + 5)) {
goto send_data; /*
* Adding 4 bytes for start (1 byte), version (1 byte)
* and payload (2 bytes)
*/
memcpy(driver->hdlc_encode_buf, buf + 4, payload);
goto send_data;
} else {
pr_err("diag: In %s, invalid len: %d of non_hdlc pkt",
__func__, len);
return -EBADMSG;
}
} }
if (hdlc_flag) { if (hdlc_flag) {