mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-11 15:39:28 -05:00
52 lines
1.7 KiB
Diff
52 lines
1.7 KiB
Diff
|
From 7efd393ca08ac74b2e3d2639b0ad77da139e9139 Mon Sep 17 00:00:00 2001
|
||
|
From: Mohit Aggarwal <maggarwa@codeaurora.org>
|
||
|
Date: Thu, 30 May 2013 11:12:39 +0530
|
||
|
Subject: diag: Fix possible underflow/overflow issues
|
||
|
|
||
|
Add check in order to fix possible integer underflow
|
||
|
during HDLC encoding which may lead to buffer
|
||
|
overflow. Also added check for packet length to
|
||
|
avoid buffer overflow.
|
||
|
|
||
|
Change-Id: I72858e7625764652571aee3154e3c2eb61655168
|
||
|
CRs-Fixed: 483400
|
||
|
CRs-Fixed: 483408
|
||
|
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
|
||
|
---
|
||
|
drivers/char/diag/diagfwd.c | 11 +++++++++--
|
||
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
|
||
|
index 05b2872..baa0a83 100644
|
||
|
--- a/drivers/char/diag/diagfwd.c
|
||
|
+++ b/drivers/char/diag/diagfwd.c
|
||
|
@@ -95,7 +95,7 @@ do { \
|
||
|
} while (0)
|
||
|
|
||
|
#define CHK_OVERFLOW(bufStart, start, end, length) \
|
||
|
-((bufStart <= start) && (end - start >= length)) ? 1 : 0
|
||
|
+((bufStart <= start) && (end - start >= length) && (length > 0)) ? 1 : 0
|
||
|
|
||
|
/* Determine if this device uses a device tree */
|
||
|
#ifdef CONFIG_OF
|
||
|
@@ -1604,8 +1604,15 @@ void diag_process_hdlc(void *data, unsigned len)
|
||
|
|
||
|
ret = diag_hdlc_decode(&hdlc);
|
||
|
|
||
|
+ /*
|
||
|
+ * If the message is 3 bytes or less in length then the message is
|
||
|
+ * too short. A message will need 4 bytes minimum, since there are
|
||
|
+ * 2 bytes for the CRC and 1 byte for the ending 0x7e for the hdlc
|
||
|
+ * encoding
|
||
|
+ */
|
||
|
if (hdlc.dest_idx < 4) {
|
||
|
- pr_err("diag: Integer underflow in hdlc processing\n");
|
||
|
+ pr_err_ratelimited("diag: In %s, message is too short, len: %d,"
|
||
|
+ " dest len: %d\n", __func__, len, hdlc.dest_idx);
|
||
|
return;
|
||
|
}
|
||
|
if (ret) {
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|