Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

diag: Fix possible underflow/overflow issues

Browse source 
Add check in order to fix possible integer underflow
during HDLC encoding which may lead to buffer
overflow. Also added check for packet length to
avoid buffer overflow.

Bug: 28767796
Change-Id: Ic91b5ee629066f013022ea139b4a23ec661aa77a
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
This commit is contained in:
Mohit Aggarwal 2016-06-02 17:00:19 -07:00 committed by Thierry Strudel
parent 9d2d76985c
commit 518bb6e931
2 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/char/diag/diagfwd.c
View file

@ -1014,8 +1014,15 @@ void diag_process_hdlc(void *data, unsigned len)
ret = diag_hdlc_decode(&hdlc);
if (hdlc.dest_idx < 3) {
pr_err("diag: Integer underflow in hdlc processing\n");
/*
* If the message is 3 bytes or less in length then the message is
* too short. A message will need 4 bytes minimum, since there are
* 2 bytes for the CRC and 1 byte for the ending 0x7e for the hdlc
* encoding
*/
if (hdlc.dest_idx < 4) {
pr_err_ratelimited("diag: In %s, message is too short, len: %d,"
" dest len: %d\n", __func__, len, hdlc.dest_idx);
return;
}
if (ret) {

2
drivers/char/diag/diagfwd.h
View file

@ -17,7 +17,7 @@
#define NON_APPS_PROC -1
#define CHK_OVERFLOW(bufStart, start, end, length) \
((((bufStart) <= (start)) && ((end) - (start) >= (length))) ? 1 : 0)
((((bufStart) <= (start)) && ((end) - (start) >= (length)) && ((length) > 0)) ? 1 : 0)
void diagfwd_init(void);
void diagfwd_exit(void);