52 lines
1.7 KiB
Diff
Raw Normal View History

From 7efd393ca08ac74b2e3d2639b0ad77da139e9139 Mon Sep 17 00:00:00 2001
From: Mohit Aggarwal <maggarwa@codeaurora.org>
Date: Thu, 30 May 2013 11:12:39 +0530
Subject: diag: Fix possible underflow/overflow issues
Add check in order to fix possible integer underflow
during HDLC encoding which may lead to buffer
overflow. Also added check for packet length to
avoid buffer overflow.
Change-Id: I72858e7625764652571aee3154e3c2eb61655168
CRs-Fixed: 483400
CRs-Fixed: 483408
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
---
drivers/char/diag/diagfwd.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
index 05b2872..baa0a83 100644
--- a/drivers/char/diag/diagfwd.c
+++ b/drivers/char/diag/diagfwd.c
@@ -95,7 +95,7 @@ do { \
} while (0)
#define CHK_OVERFLOW(bufStart, start, end, length) \
-((bufStart <= start) && (end - start >= length)) ? 1 : 0
+((bufStart <= start) && (end - start >= length) && (length > 0)) ? 1 : 0
/* Determine if this device uses a device tree */
#ifdef CONFIG_OF
@@ -1604,8 +1604,15 @@ void diag_process_hdlc(void *data, unsigned len)
ret = diag_hdlc_decode(&hdlc);
+ /*
+ * If the message is 3 bytes or less in length then the message is
+ * too short. A message will need 4 bytes minimum, since there are
+ * 2 bytes for the CRC and 1 byte for the ending 0x7e for the hdlc
+ * encoding
+ */
if (hdlc.dest_idx < 4) {
- pr_err("diag: Integer underflow in hdlc processing\n");
+ pr_err_ratelimited("diag: In %s, message is too short, len: %d,"
+ " dest len: %d\n", __func__, len, hdlc.dest_idx);
return;
}
if (ret) {
--
cgit v1.1