diff options
| author | Hardik Arya <harya@codeaurora.org> | 2019-04-22 14:22:08 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-06-10 02:38:02 -0700 |
| commit | f275209c759d7c95470d4d5f7fc5281b36d6fc77 (patch) | |
| tree | 85fccda57417b0b26b8848076f85c61e22e923f3 | |
| parent | 5c004decb393647c7c86e624c77d230b74391853 (diff) | |
diag: Prevent out-of-bound access while processing non-hdlc pkt
While parsing non-hdlc packet buffer length passed to hdlc
recovery is not updated after parsing partial packet, Which
can lead to out-of-bound access. The patch passes the updated
buffer length for the same.
Change-Id: I5596f8c5a72680684c9c9056dccaf33e3c36832c
Signed-off-by: Hardik Arya <harya@codeaurora.org>
| -rw-r--r-- | drivers/char/diag/diagfwd.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c index 75c68c903371..711da56468df 100644 --- a/drivers/char/diag/diagfwd.c +++ b/drivers/char/diag/diagfwd.c @@ -1648,7 +1648,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len, int pid) if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR) { mutex_unlock(&driver->hdlc_recovery_mutex); - diag_hdlc_start_recovery(buf, len, pid); + diag_hdlc_start_recovery(buf, (len - read_bytes), pid); mutex_lock(&driver->hdlc_recovery_mutex); } err = diag_process_apps_pkt(data_ptr, @@ -1674,8 +1674,8 @@ start: pkt_len = actual_pkt->length; if (actual_pkt->start != CONTROL_CHAR) { - diag_hdlc_start_recovery(buf, len, pid); - diag_send_error_rsp(buf, len, pid); + diag_hdlc_start_recovery(buf, (len - read_bytes), pid); + diag_send_error_rsp(buf, (len - read_bytes), pid); goto end; } mutex_lock(&driver->hdlc_recovery_mutex); @@ -1683,7 +1683,7 @@ start: pr_err("diag: In %s, incoming data is too large for the request buffer %d\n", __func__, pkt_len); mutex_unlock(&driver->hdlc_recovery_mutex); - diag_hdlc_start_recovery(buf, len, pid); + diag_hdlc_start_recovery(buf, (len - read_bytes), pid); break; } if ((pkt_len + header_len) > (len - read_bytes)) { @@ -1700,7 +1700,7 @@ start: if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR) { mutex_unlock(&driver->hdlc_recovery_mutex); - diag_hdlc_start_recovery(buf, len, pid); + diag_hdlc_start_recovery(buf, (len - read_bytes), pid); mutex_lock(&driver->hdlc_recovery_mutex); } else |