From: David Binder <david.binder@xxxxxxxxxx> Checks the controlvm message's payload size before copying it into a parser_context struct's name region. Signed-off-by: David Binder <david.binder@xxxxxxxxxx> Signed-off-by: David Kershner <david.kershner@xxxxxxxxxx> Reported-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/staging/unisys/visorbus/visorchipset.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/unisys/visorbus/visorchipset.c b/drivers/staging/unisys/visorbus/visorchipset.c index 4e630ea..df2dfeb 100644 --- a/drivers/staging/unisys/visorbus/visorchipset.c +++ b/drivers/staging/unisys/visorbus/visorchipset.c @@ -399,6 +399,10 @@ parser_name_get(struct parser_context *ctx) struct spar_controlvm_parameters_header *phdr = NULL; phdr = (struct spar_controlvm_parameters_header *)(ctx->data); + + if (phdr->name_offset + phdr->name_length > ctx->param_bytes) + return NULL; + ctx->curr = ctx->data + phdr->name_offset; ctx->bytes_remaining = phdr->name_length; return parser_string_get(ctx); -- git-series 0.9.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
