evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

diag: Validate msg source length to prevent out of bound access

Browse source 
Place check for mask size and validate source length against
sum of header length and mask size to prevent out of bound access.

Change-Id: I8ac089202b6e3007773b92be8cfdc52fcb30ec3c
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
This commit is contained in:
Manoj Prabhu B 2019-09-24 14:54:33 +05:30 committed by Gerrit - the friendly Code Review server
parent a8e92fae3a
commit e935115d05
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
drivers/char/diag/diag_masks.c
View file

@ -901,7 +901,8 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
goto end; goto end;
if (mask_size + write_len > dest_len) if (mask_size + write_len > dest_len)
mask_size = dest_len - write_len; mask_size = dest_len - write_len;
memcpy(dest_buf + write_len, src_buf + header_len, mask_size); if (mask_size && src_len >= header_len + mask_size)
memcpy(dest_buf + write_len, src_buf + header_len, mask_size);
write_len += mask_size; write_len += mask_size;
for (i = 0; i < NUM_PERIPHERALS; i++) { for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i, pid)) if (!diag_check_update(i, pid))