diag: Check buffer size against command structure size
Validate the buffer size against the parsing command structure size before parsing to prevent possible out of bound error case. CRs-Fixed: 2437341 Change-Id: I31c9a556539fce403691294a76160ae4936e7065 Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
This commit is contained in:
parent
142fc006e7
commit
fa4e1d8f35
|
@ -579,7 +579,8 @@ int diag_process_time_sync_query_cmd(unsigned char *src_buf, int src_len,
|
|||
struct diag_cmd_time_sync_query_req_t *req = NULL;
|
||||
struct diag_cmd_time_sync_query_rsp_t rsp;
|
||||
|
||||
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0) {
|
||||
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||
|
||||
src_len < sizeof(struct diag_cmd_time_sync_query_req_t)) {
|
||||
pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d",
|
||||
__func__, src_buf, src_len, dest_buf, dest_len);
|
||||
return -EINVAL;
|
||||
|
@ -606,7 +607,8 @@ int diag_process_time_sync_switch_cmd(unsigned char *src_buf, int src_len,
|
|||
int msg_size = sizeof(struct diag_ctrl_msg_time_sync);
|
||||
int err = 0, write_len = 0;
|
||||
|
||||
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0) {
|
||||
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||
|
||||
src_len < sizeof(struct diag_cmd_time_sync_switch_req_t)) {
|
||||
pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d",
|
||||
__func__, src_buf, src_len, dest_buf, dest_len);
|
||||
return -EINVAL;
|
||||
|
|
Loading…
Reference in New Issue