From d8c26e52ffbd09dc076fccca8044bb3d7a6d1f68 Mon Sep 17 00:00:00 2001
From: Katish Paran <kparan@codeaurora.org>
Date: Fri, 28 Mar 2014 18:01:07 +0530
Subject: diag: Check for valid proc id while querying real time status

Currently in diag driver invalid proc id may lead to accessing
invalid array elements. This patch fixes the issue.

Change-Id: I4bcf3eb610537c589d0b66903df1e79a88127b93
CRs-fixed: 629864
Signed-off-by: Katish Paran <kparan@codeaurora.org>
---
 drivers/char/diag/diag_dci.c      | 21 ++++++++++++---------
 drivers/char/diag/diagchar_core.c |  2 +-
 2 files changed, 13 insertions(+), 10 deletions(-)

(limited to 'drivers/char')

diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 7884081f30a6..91ac7b07914f 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -2709,15 +2709,18 @@ fail_alloc:
 	if (new_entry) {
 		for (i = 0; i < new_entry->num_buffers; i++) {
 			proc_buf = &new_entry->buffers[i];
-			mutex_destroy(&proc_buf->health_mutex);
-			mutex_destroy(&proc_buf->buf_primary->data_mutex);
-			mutex_destroy(&proc_buf->buf_cmd->data_mutex);
-			if (proc_buf->buf_primary)
-				kfree(proc_buf->buf_primary->data);
-			kfree(proc_buf->buf_primary);
-			if (proc_buf->buf_cmd)
-				kfree(proc_buf->buf_cmd->data);
-			kfree(proc_buf->buf_cmd);
+			if (proc_buf) {
+				mutex_destroy(&proc_buf->health_mutex);
+				mutex_destroy(
+					&proc_buf->buf_primary->data_mutex);
+				mutex_destroy(&proc_buf->buf_cmd->data_mutex);
+				if (proc_buf->buf_primary)
+					kfree(proc_buf->buf_primary->data);
+				kfree(proc_buf->buf_primary);
+				if (proc_buf->buf_cmd)
+					kfree(proc_buf->buf_cmd->data);
+				kfree(proc_buf->buf_cmd);
+			}
 		}
 		kfree(new_entry->dci_event_mask);
 		kfree(new_entry->dci_log_mask);
diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
index c4e634390c00..27713809cd79 100644
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@@ -1085,7 +1085,7 @@ static int diag_ioctl_get_real_time(unsigned long ioarg)
 				usleep_range(10000, 10100);
 		} else {
 			if (rt_query.proc < 0 ||
-					rt_query.proc > DIAG_NUM_PROC) {
+					rt_query.proc >= DIAG_NUM_PROC) {
 				pr_err("diag: Invalid proc %d in %s\n",
 				       rt_query.proc, __func__);
 				return -EINVAL;
-- 
cgit v1.2.3