diag: Fix array out of bounds access
The processing of the buf_tbl array is resulting in access beyond
the end of the array. Make modifications to ensure that the buf_tbl
array is accessed properly within bounds.
CRs-Fixed: 488175
Change-Id: I8782c7632a426fe49a295361c3db1257cc881c80
Signed-off-by: Dixon Peterson <dixonp@codeaurora.org>
diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
index 684f11d..292a0be 100644
--- a/drivers/char/diag/diagchar.h
+++ b/drivers/char/diag/diagchar.h
@@ -219,6 +219,7 @@
int num_clients;
int polling_reg_flag;
struct diag_write_device *buf_tbl;
+ unsigned int buf_tbl_size;
int use_device_tree;
/* DCI related variables */
struct dci_pkt_req_tracking_tbl *req_tracking_tbl;
diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
index 7022a6f..96e8b11 100644
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@@ -1167,7 +1167,7 @@
/* place holder for number of data field */
ret += 4;
- for (i = 0; i < driver->poolsize_write_struct; i++) {
+ for (i = 0; i < driver->buf_tbl_size; i++) {
if (driver->buf_tbl[i].length > 0) {
#ifdef DIAG_DEBUG
pr_debug("diag: WRITING the buf address "
diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
index 151e304..f76d41a 100644
--- a/drivers/char/diag/diagfwd.c
+++ b/drivers/char/diag/diagfwd.c
@@ -48,7 +48,8 @@
int diag_debug_buf_idx;
unsigned char diag_debug_buf[1024];
-static unsigned int buf_tbl_size = 8; /*Number of entries in table of buffers */
+/* Number of entries in table of buffers */
+static unsigned int buf_tbl_size = 10;
struct diag_master_table entry;
struct diag_send_desc_type send = { NULL, NULL, DIAG_STATE_START, 0 };
struct diag_hdlc_dest_type enc = { NULL, NULL, 0 };
@@ -467,7 +468,7 @@
if (driver->logging_mode == MEMORY_DEVICE_MODE) {
int hsic_updated = 0;
if (data_type == APPS_DATA) {
- for (i = 0; i < driver->poolsize_write_struct; i++)
+ for (i = 0; i < driver->buf_tbl_size; i++)
if (driver->buf_tbl[i].length == 0) {
driver->buf_tbl[i].buf = buf;
driver->buf_tbl[i].length =
@@ -1768,6 +1769,12 @@
driver->read_len_legacy = 0;
driver->use_device_tree = has_device_tree();
driver->real_time_mode = 1;
+ /*
+ * The number of entries in table of buffers
+ * should not be any smaller than hdlc poolsize.
+ */
+ driver->buf_tbl_size = (buf_tbl_size < driver->poolsize_hdlc) ?
+ driver->poolsize_hdlc : buf_tbl_size;
mutex_init(&driver->diag_hdlc_mutex);
mutex_init(&driver->diag_cntl_mutex);
@@ -1802,7 +1809,7 @@
goto err;
kmemleak_not_leak(driver->client_map);
if (driver->buf_tbl == NULL)
- driver->buf_tbl = kzalloc(buf_tbl_size *
+ driver->buf_tbl = kzalloc(driver->buf_tbl_size *
sizeof(struct diag_write_device), GFP_KERNEL);
if (driver->buf_tbl == NULL)
goto err;