summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinux Build Service Account <lnxbuild@localhost>2019-06-02 23:35:06 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>2019-06-02 23:35:05 -0700
commit69b14d87db0cbc059dc5fde101c8a52a837c815c (patch)
treef18f871d137089151eac7418e2c9255e35134033
parent16819b1724ca924e698aea615ea72fc50c4174e6 (diff)
parentd5f7b0a5556b025d6380ccb8999f8087e6de0b77 (diff)
Merge "diag: Prevent out-of-bound access while processing dci transaction"
Diffstat
-rw-r--r--drivers/char/diag/diag_dci.c10
-rw-r--r--drivers/char/diag/diag_dci.h2
2 files changed, 6 insertions, 6 deletions
diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 8d5f505e4e34..aedeeef0911d 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -2072,9 +2072,9 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
uint8_t *event_mask_ptr;
struct diag_dci_client_tbl *dci_entry = NULL;
- if (!temp) {
- pr_err("diag: Invalid buffer in %s\n", __func__);
- return -ENOMEM;
+ if (!temp || len < sizeof(int)) {
+ pr_err("diag: Invalid input in %s\n", __func__);
+ return -EINVAL;
}
/* This is Pkt request/response transaction */
@@ -2129,7 +2129,7 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
count = 0; /* iterator for extracting log codes */
while (count < num_codes) {
- if (read_len >= USER_SPACE_DATA) {
+ if (read_len + sizeof(uint16_t) > len) {
pr_err("diag: dci: Invalid length for log type in %s",
__func__);
mutex_unlock(&driver->dci_mutex);
@@ -2242,7 +2242,7 @@ int diag_process_dci_transaction(unsigned char *buf, int len)
pr_debug("diag: head of dci event mask %pK\n", event_mask_ptr);
count = 0; /* iterator for extracting log codes */
while (count < num_codes) {
- if (read_len >= USER_SPACE_DATA) {
+ if (read_len + sizeof(int) > len) {
pr_err("diag: dci: Invalid length for event type in %s",
__func__);
mutex_unlock(&driver->dci_mutex);
diff --git a/drivers/char/diag/diag_dci.h b/drivers/char/diag/diag_dci.h
index c2a8ac1e3854..800a4f7312cf 100644
--- a/drivers/char/diag/diag_dci.h
+++ b/drivers/char/diag/diag_dci.h
@@ -27,7 +27,7 @@
#define DISABLE_LOG_MASK 0
#define MAX_EVENT_SIZE 512
#define DCI_CLIENT_INDEX_INVALID -1
-#define DCI_LOG_CON_MIN_LEN 14
+#define DCI_LOG_CON_MIN_LEN 16
#define DCI_EVENT_CON_MIN_LEN 16
#define EXT_HDR_LEN 8
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-26 16:22:27 +0000