diag: Fix to check for command length size
Fix to validate payload length size while forwarding
commands to remote processor.
CRs-Fixed: 2004417
Change-Id: Ia047f7895002409e176eeb9e1ddfef69849636ea
Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
Signed-off-by: Gopikrishna Mogasati <gmogas@codeaurora.org>
diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
index 5b507df..a363428 100644
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@@ -976,6 +976,11 @@
hdlc_disabled = driver->hdlc_disabled;
if (hdlc_disabled) {
payload = *(uint16_t *)(buf + 2);
+ if (payload > DIAG_MAX_HDLC_BUF_SIZE) {
+ pr_err("diag: Dropping packet, payload size is %d\n",
+ payload);
+ return -EBADMSG;
+ }
driver->hdlc_encode_buf_len = payload;
/*
* Adding 4 bytes for start (1 byte), version (1 byte) and