Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

diag: Check buffer size against command structure size 

Validate the buffer size against the parsing command structure size
before parsing to prevent possible out of bound error case.

CRs-Fixed: 2437341
Change-Id: I31c9a556539fce403691294a76160ae4936e7065
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
This commit is contained in:
Manoj Prabhu B 2019-05-09 13:02:39 +05:30 committed by syphyr
parent 142fc006e7
commit fa4e1d8f35
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/char/diag/diagfwd.c
View File

@ -579,7 +579,8 @@ int diag_process_time_sync_query_cmd(unsigned char *src_buf, int src_len,
struct diag_cmd_time_sync_query_req_t *req = NULL;
struct diag_cmd_time_sync_query_rsp_t rsp;
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0) {
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||
src_len < sizeof(struct diag_cmd_time_sync_query_req_t)) {
pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d",
__func__, src_buf, src_len, dest_buf, dest_len);
return -EINVAL;
@ -606,7 +607,8 @@ int diag_process_time_sync_switch_cmd(unsigned char *src_buf, int src_len,
int msg_size = sizeof(struct diag_ctrl_msg_time_sync);
int err = 0, write_len = 0;
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0) {
if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||
src_len < sizeof(struct diag_cmd_time_sync_switch_req_t)) {
pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d",
__func__, src_buf, src_len, dest_buf, dest_len);
return -EINVAL;