From 7efd393ca08ac74b2e3d2639b0ad77da139e9139 Mon Sep 17 00:00:00 2001 From: Mohit Aggarwal Date: Thu, 30 May 2013 11:12:39 +0530 Subject: diag: Fix possible underflow/overflow issues Add check in order to fix possible integer underflow during HDLC encoding which may lead to buffer overflow. Also added check for packet length to avoid buffer overflow. Change-Id: I72858e7625764652571aee3154e3c2eb61655168 CRs-Fixed: 483400 CRs-Fixed: 483408 Signed-off-by: Mohit Aggarwal --- drivers/char/diag/diagfwd.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c index 05b2872..baa0a83 100644 --- a/drivers/char/diag/diagfwd.c +++ b/drivers/char/diag/diagfwd.c @@ -95,7 +95,7 @@ do { \ } while (0) #define CHK_OVERFLOW(bufStart, start, end, length) \ -((bufStart <= start) && (end - start >= length)) ? 1 : 0 +((bufStart <= start) && (end - start >= length) && (length > 0)) ? 1 : 0 /* Determine if this device uses a device tree */ #ifdef CONFIG_OF @@ -1604,8 +1604,15 @@ void diag_process_hdlc(void *data, unsigned len) ret = diag_hdlc_decode(&hdlc); + /* + * If the message is 3 bytes or less in length then the message is + * too short. A message will need 4 bytes minimum, since there are + * 2 bytes for the CRC and 1 byte for the ending 0x7e for the hdlc + * encoding + */ if (hdlc.dest_idx < 4) { - pr_err("diag: Integer underflow in hdlc processing\n"); + pr_err_ratelimited("diag: In %s, message is too short, len: %d," + " dest len: %d\n", __func__, len, hdlc.dest_idx); return; } if (ret) { -- cgit v1.1