diag: Validate msg source length to prevent out of bound access

Place check for mask size and validate source length against
sum of header length and mask size to prevent out of bound access.

Change-Id: I8ac089202b6e3007773b92be8cfdc52fcb30ec3c
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

diff --git a/drivers/char/diag/diag_masks.c b/drivers/char/diag/diag_masks.c
index ec3013c..775a66d 100644 (file)
--- a/drivers/char/diag/diag_masks.c
+++ b/drivers/char/diag/diag_masks.c
@@ -901,7 +901,8 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
                goto end;
        if (mask_size + write_len > dest_len)
                mask_size = dest_len - write_len;
-       memcpy(dest_buf + write_len, src_buf + header_len, mask_size);
+       if (mask_size && src_len >= header_len + mask_size)
+               memcpy(dest_buf + write_len, src_buf + header_len, mask_size);
        write_len += mask_size;
        for (i = 0; i < NUM_PERIPHERALS; i++) {
                if (!diag_check_update(i, pid))