diag: Fix possible underflow/overflow issues

Add check in order to fix possible integer underflow
during HDLC encoding which may lead to buffer
overflow. Also added check for packet length to
avoid buffer overflow.

Bug: 28767796
Change-Id: I6dfe890c9db521c9144f05155c50b289c83b5b8f
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>

drivers/char/diag/diagfwd.c

@@ -1679,6 +1679,19 @@ void diag_process_hdlc(void *data, unsigned len)
 	hdlc.escaping = 0;
 
 	ret = diag_hdlc_decode(&hdlc);
+
+	/*
+	 * If the message is 3 bytes or less in length then the message is
+	 * too short. A message will need 4 bytes minimum, since there are
+	 * 2 bytes for the CRC and 1 byte for the ending 0x7e for the hdlc
+	 * encoding
+	 */
+	if (hdlc.dest_idx < 4) {
+		pr_err_ratelimited("diag: In %s, message is too short, len: %d,"
+			" dest len: %d\n", __func__, len, hdlc.dest_idx);
+		mutex_unlock(&driver->diag_hdlc_mutex);
+		return;
+	}
 	if (ret) {
 		crc_chk = crc_check(hdlc.dest_ptr, hdlc.dest_idx);
 		if (crc_chk) {

drivers/char/diag/diagfwd.h

@@ -20,7 +20,7 @@
 #define RESET_AND_QUEUE 1
 
 #define CHK_OVERFLOW(bufStart, start, end, length) \
-	((((bufStart) <= (start)) && ((end) - (start) >= (length))) ? 1 : 0)
+  ((((bufStart) <= (start)) && ((end) - (start) >= (length)) && ((length) > 0)) ? 1 : 0)
 
 void diagfwd_init(void);
 void diagfwd_exit(void);