int save_req_uid = 0;
struct diag_dci_pkt_rsp_header_t pkt_rsp_header;
- if (!buf) {
+ if (!buf || len <= 0) {
pr_err("diag: Invalid pointer in %s\n", __func__);
return;
}
dci_cmd_code);
return;
}
+ if (len < (cmd_code_len + sizeof(int)))
+ return;
temp += cmd_code_len;
tag = *(int *)temp;
temp += sizeof(int);
* The size of the response is (total length) - (length of the command
* code, the tag (int)
*/
- rsp_len = len - (cmd_code_len + sizeof(int));
- if ((rsp_len == 0) || (rsp_len > (len - 5))) {
- pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d",
- __func__, len, rsp_len);
+ if (len >= cmd_code_len + sizeof(int)) {
+ rsp_len = len - (cmd_code_len + sizeof(int));
+ if ((rsp_len == 0) || (rsp_len > (len - 5))) {
+ pr_err("diag: Invalid length in %s, len: %d, rsp_len: %d\n",
+ __func__, len, rsp_len);
+ return;
+ }
+ } else {
+ pr_err("diag:%s: Invalid length(%d) for calculating rsp_len\n",
+ __func__, len);
return;
}
DIAG_LOG(DIAG_DEBUG_PERIPHERALS,
"diag: dci client with pid = %d Exited..\n",
entry->tgid);
+ put_pid(pid_struct);
mutex_unlock(&driver->dci_mutex);
return;
}
if (stat)
pr_err("diag: Err sending dci signal to client, signal data: 0x%x, stat: %d\n",
info.si_int, stat);
- } else
+ } else {
pr_err("diag: client data is corrupted, signal data: 0x%x, stat: %d\n",
info.si_int, stat);
+ }
+ put_task_struct(dci_task);
+ put_pid(pid_struct);
}
}
}
if (!buf)
return -EIO;
- if (len <= sizeof(struct dci_pkt_req_t) || len > DCI_REQ_BUF_SIZE) {
+ if (len <= (sizeof(struct dci_pkt_req_t) +
+ sizeof(struct diag_pkt_header_t)) ||
+ len > DCI_REQ_BUF_SIZE) {
pr_err("diag: dci: Invalid length %d len in %s", len, __func__);
return -EIO;
}
uint8_t *event_mask_ptr;
struct diag_dci_client_tbl *dci_entry = NULL;
- if (!temp) {
- pr_err("diag: Invalid buffer in %s\n", __func__);
- return -ENOMEM;
+ if (!temp || len < sizeof(int)) {
+ pr_err("diag: Invalid input in %s\n", __func__);
+ return -EINVAL;
}
/* This is Pkt request/response transaction */
count = 0; /* iterator for extracting log codes */
while (count < num_codes) {
- if (read_len >= USER_SPACE_DATA) {
+ if (read_len + sizeof(uint16_t) > len) {
pr_err("diag: dci: Invalid length for log type in %s",
__func__);
mutex_unlock(&driver->dci_mutex);
pr_debug("diag: head of dci event mask %pK\n", event_mask_ptr);
count = 0; /* iterator for extracting log codes */
while (count < num_codes) {
- if (read_len >= USER_SPACE_DATA) {
+ if (read_len + sizeof(int) > len) {
pr_err("diag: dci: Invalid length for event type in %s",
__func__);
mutex_unlock(&driver->dci_mutex);
DIAG_LOG(DIAG_DEBUG_DCI,
"diag: valid task doesn't exist for pid = %d\n",
entry->tgid);
+ put_pid(pid_struct);
continue;
}
- if (task_s == entry->client)
- if (entry->client->tgid == tgid)
+ if (task_s == entry->client) {
+ if (entry->client->tgid == tgid) {
+ put_task_struct(task_s);
+ put_pid(pid_struct);
return entry;
+ }
+ }
+ put_task_struct(task_s);
+ put_pid(pid_struct);
}
return NULL;
}
mutex_lock(&driver->dci_mutex);
+ get_task_struct(current);
new_entry->client = current;
new_entry->tgid = current->tgid;
new_entry->client_info.notification_list =