From ef29ae1d40536fef7fb95e4d5bb5b6b57bdf9420 Mon Sep 17 00:00:00 2001
From: Katish Paran <kparan@codeaurora.org>
Date: Tue, 17 Dec 2013 13:36:15 +0530
Subject: diag: dci: Safeguard to prevent Integer Underflow and Memory Leak

At certain point in diag driver there can be integer underflow
thus can lead to memory leak. Added a safeguard for that.

Change-Id: I2a0304f5b9888fe12ca9ef5fbaa9a68ee4ab9c15
Crs-fixed: 556860
Signed-off-by: Katish Paran <kparan@codeaurora.org>
---
 drivers/char/diag/diag_dci.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 7772ebe..414207f 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -216,7 +216,11 @@ void extract_dci_pkt_rsp(struct diag_smd_info *smd_info, unsigned char *buf)
 	if (recv_pkt_cmd_code != DCI_PKT_RSP_CODE)
 		cmd_code_len = 4; /* delayed response */
 	write_len = (int)(*(uint16_t *)(buf+2)) - cmd_code_len;
-
+	if (write_len <= 0) {
+		pr_err("diag: Invalid length in %s, write_len: %d",
+					__func__, write_len);
+		return;
+	}
 	pr_debug("diag: len = %d\n", write_len);
 	tag = (int *)(buf + (4 + cmd_code_len)); /* Retrieve the Tag field */
 	req_entry = diag_dci_get_request_entry(*tag);
-- 
cgit v1.1