From e935115d05f7169b6e63df5dac501c71674d231e Mon Sep 17 00:00:00 2001 From: Manoj Prabhu B Date: Tue, 24 Sep 2019 14:54:33 +0530 Subject: [PATCH] diag: Validate msg source length to prevent out of bound access Place check for mask size and validate source length against sum of header length and mask size to prevent out of bound access. Change-Id: I8ac089202b6e3007773b92be8cfdc52fcb30ec3c Signed-off-by: Manoj Prabhu B --- drivers/char/diag/diag_masks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/char/diag/diag_masks.c b/drivers/char/diag/diag_masks.c index ec3013c5fd85..775a66db30f7 100644 --- a/drivers/char/diag/diag_masks.c +++ b/drivers/char/diag/diag_masks.c @@ -901,7 +901,8 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len, goto end; if (mask_size + write_len > dest_len) mask_size = dest_len - write_len; - memcpy(dest_buf + write_len, src_buf + header_len, mask_size); + if (mask_size && src_len >= header_len + mask_size) + memcpy(dest_buf + write_len, src_buf + header_len, mask_size); write_len += mask_size; for (i = 0; i < NUM_PERIPHERALS; i++) { if (!diag_check_update(i, pid))