diag: Validate query dci event and log mask size properly

Currently there is possibility of out-of-bound read due to
incorrect validation of received dci event and log mask for
query. The patch update the validation for the same.

Change-Id: I4266eb0f69fdbfa48c5aacc17744dec83995e9e6
Signed-off-by: Hardik Arya <harya@codeaurora.org>

diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 16ff781..b0b36d0 100644 (file)
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -689,7 +689,7 @@ int diag_dci_query_log_mask(struct diag_dci_client_tbl *entry,
        byte_mask = 0x01 << (item_num % 8);
        offset = equip_id * 514;
 
-       if (offset + byte_index > DCI_LOG_MASK_SIZE) {
+       if (offset + byte_index >= DCI_LOG_MASK_SIZE) {
                pr_err("diag: In %s, invalid offset: %d, log_code: %d, byte_index: %d\n",
                                __func__, offset, log_code, byte_index);
                return 0;
@@ -716,7 +716,7 @@ int diag_dci_query_event_mask(struct diag_dci_client_tbl *entry,
        bit_index = event_id % 8;
        byte_mask = 0x1 << bit_index;
 
-       if (byte_index > DCI_EVENT_MASK_SIZE) {
+       if (byte_index >= DCI_EVENT_MASK_SIZE) {
                pr_err("diag: In %s, invalid, event_id: %d, byte_index: %d\n",
                                __func__, event_id, byte_index);
                return 0;