commit 5dbb4aac1009577270aa1a6789bea931a887238d
author Hardik Arya <harya@codeaurora.org> Mon Jun 12 11:26:05 2017 +0530
committer Chris Lew <clew@codeaurora.org> Wed Jul 26 15:06:59 2017 -0700
tree 1929a26d844a75c82f104a65aacd4578002afd38
parent 62dce9f6d89129bc04238b7ce9896d3259e1d71e

diag: Add proper checks to fix possible out-of-bound issue

Currently, there is a possibility of out-of-bound access while
processing data received from user space. The patch adds proper
checks for valid address.

CRs-Fixed: 2048536
Change-Id: I1e0fc7a9d69e69f3326429d5d9540dd3bb1a59b0
Signed-off-by: Hardik Arya <harya@codeaurora.org>

drivers/char/diag/diagchar_core.c

diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
index 45376d8..e4397c5 100644
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@@ -975,6 +975,11 @@
 	else
 		hdlc_disabled = driver->hdlc_disabled;
 	if (hdlc_disabled) {
+		if (len < 4) {
+			pr_err("diag: In %s, invalid len: %d of non_hdlc pkt",
+			__func__, len);
+			return -EBADMSG;
+		}
 		payload = *(uint16_t *)(buf + 2);
 		if (payload > DIAG_MAX_HDLC_BUF_SIZE) {
 			pr_err("diag: Dropping packet, payload size is %d\n",
@@ -983,11 +988,21 @@
 		}
 		driver->hdlc_encode_buf_len = payload;
 		/*
-		 * Adding 4 bytes for start (1 byte), version (1 byte) and
-		 * payload (2 bytes)
+		 * Adding 5 bytes for start (1 byte), version (1 byte),
+		 * payload (2 bytes) and end (1 byte)
 		 */
-		memcpy(driver->hdlc_encode_buf, buf + 4, payload);
-		goto send_data;
+		if (len == (payload + 5)) {
+			/*
+			 * Adding 4 bytes for start (1 byte), version (1 byte)
+			 * and payload (2 bytes)
+			 */
+			memcpy(driver->hdlc_encode_buf, buf + 4, payload);
+			goto send_data;
+		} else {
+			pr_err("diag: In %s, invalid len: %d of non_hdlc pkt",
+			__func__, len);
+			return -EBADMSG;
+		}
 	}
 
 	if (hdlc_flag) {