From 31c280fe3455b47273d5b490d96c61c75b77b059 Mon Sep 17 00:00:00 2001
From: Hardik Arya <harya@codeaurora.org>
Date: Fri, 6 Apr 2018 15:10:36 +0530
Subject: [PATCH] diag: Validate query dci event and log mask size properly

Currently there is possibility of out-of-bound read due to
incorrect validation of received dci event and log mask for
query. The patch update the validation for the same.

Change-Id: I4266eb0f69fdbfa48c5aacc17744dec83995e9e6
Signed-off-by: Hardik Arya <harya@codeaurora.org>
---
 drivers/char/diag/diag_dci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 16ff781cde65..b0b36d00415d 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -689,7 +689,7 @@ int diag_dci_query_log_mask(struct diag_dci_client_tbl *entry,
 	byte_mask = 0x01 << (item_num % 8);
 	offset = equip_id * 514;
 
-	if (offset + byte_index > DCI_LOG_MASK_SIZE) {
+	if (offset + byte_index >= DCI_LOG_MASK_SIZE) {
 		pr_err("diag: In %s, invalid offset: %d, log_code: %d, byte_index: %d\n",
 				__func__, offset, log_code, byte_index);
 		return 0;
@@ -716,7 +716,7 @@ int diag_dci_query_event_mask(struct diag_dci_client_tbl *entry,
 	bit_index = event_id % 8;
 	byte_mask = 0x1 << bit_index;
 
-	if (byte_index > DCI_EVENT_MASK_SIZE) {
+	if (byte_index >= DCI_EVENT_MASK_SIZE) {
 		pr_err("diag: In %s, invalid, event_id: %d, byte_index: %d\n",
 				__func__, event_id, byte_index);
 		return 0;