DivestOS/Patches/Linux_CVEs-New/CVE-2014-9873/ANY/0.patch

36 lines
1.3 KiB
Diff
Raw Normal View History

From ef29ae1d40536fef7fb95e4d5bb5b6b57bdf9420 Mon Sep 17 00:00:00 2001
From: Katish Paran <kparan@codeaurora.org>
Date: Tue, 17 Dec 2013 13:36:15 +0530
Subject: diag: dci: Safeguard to prevent Integer Underflow and Memory Leak
At certain point in diag driver there can be integer underflow
thus can lead to memory leak. Added a safeguard for that.
Change-Id: I2a0304f5b9888fe12ca9ef5fbaa9a68ee4ab9c15
Crs-fixed: 556860
Signed-off-by: Katish Paran <kparan@codeaurora.org>
---
drivers/char/diag/diag_dci.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 7772ebe..414207f 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -216,7 +216,11 @@ void extract_dci_pkt_rsp(struct diag_smd_info *smd_info, unsigned char *buf)
if (recv_pkt_cmd_code != DCI_PKT_RSP_CODE)
cmd_code_len = 4; /* delayed response */
write_len = (int)(*(uint16_t *)(buf+2)) - cmd_code_len;
-
+ if (write_len <= 0) {
+ pr_err("diag: Invalid length in %s, write_len: %d",
+ __func__, write_len);
+ return;
+ }
pr_debug("diag: len = %d\n", write_len);
tag = (int *)(buf + (4 + cmd_code_len)); /* Retrieve the Tag field */
req_entry = diag_dci_get_request_entry(*tag);
--
cgit v1.1