diag: dci: Validate dci response length before parsing

[sagit-ice-cold/kernel_xiaomi_msm8998.git] / drivers / char / diag / diag_dci.c

diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index e043b08..8d5f505 100644 (file)
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -984,7 +984,7 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source,
        int save_req_uid = 0;
        struct diag_dci_pkt_rsp_header_t pkt_rsp_header;
 
-       if (!buf) {
+       if (!buf || len <= 0) {
                pr_err("diag: Invalid pointer in %s\n", __func__);
                return;
        }
@@ -998,6 +998,8 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source,
                                                                dci_cmd_code);
                return;
        }
+       if (len < (cmd_code_len + sizeof(int)))
+               return;
        temp += cmd_code_len;
        tag = *(int *)temp;
        temp += sizeof(int);
@@ -1006,10 +1008,16 @@ void extract_dci_pkt_rsp(unsigned char *buf, int len, int data_source,
         * The size of the response is (total length) - (length of the command
         * code, the tag (int)
         */
-       rsp_len = len - (cmd_code_len + sizeof(int));
-       if ((rsp_len == 0) || (rsp_len > (len - 5))) {
-               pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d",
-                                               __func__, len, rsp_len);
+       if (len >= cmd_code_len + sizeof(int)) {
+               rsp_len = len - (cmd_code_len + sizeof(int));
+               if ((rsp_len == 0) || (rsp_len > (len - 5))) {
+                       pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n",
+                                       __func__, len, rsp_len);
+                       return;
+               }
+       } else {
+               pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n",
+                       __func__, len);
                return;
        }