diag: Prevent out of bound write while sending dci pkt to remote

Sanitize user input length for the maximum buffer size before
writing the dci packet to remote.

Change-Id: I1f813a969fcce589f9e5024864ef4a650f2cf64e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

1 files changed, 10 insertions, 1 deletions

diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 1fe7fa0debcc..20c9a0ecb68f 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -1734,7 +1734,16 @@ static int diag_send_dci_pkt_remote(unsigned char *data, int len, int tag,
 	write_len += dci_header_size;
 	*(int *)(buf + write_len) = tag;
 	write_len += sizeof(int);
-	memcpy(buf + write_len, data, len);
+	if ((write_len + len) < DIAG_MDM_BUF_SIZE) {
+		memcpy(buf + write_len, data, len);
+	} else {
+		pr_err("diag: skip writing invalid length packet, token: %d, pkt_len: %d\n",
+			token, (write_len + len));
+		spin_lock_irqsave(&driver->dci_mempool_lock, flags);
+		diagmem_free(driver, buf, dci_ops_tbl[token].mempool);
+		spin_unlock_irqrestore(&driver->dci_mempool_lock, flags);
+		return -EAGAIN;
+	}
 	write_len += len;
 	*(buf + write_len) = CONTROL_CHAR; /* End Terminator */
 	write_len += sizeof(uint8_t);