On Mon, Jul 13, 2015 at 02:45:12PM +0200, Dirk Behme wrote:
> From: Oleksij Rempel <external.Oleksij.Rempel@xxxxxxxxxxxx>
>
> If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we
> will silently overwrite the stack.
>
> Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@xxxxxxxxxxxx>
> Signed-off-by: Dirk Behme <dirk.behme@xxxxxxxxxxxx>
Applied, thank you.
> ---
> drivers/input/touchscreen/zforce_ts.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c
> index c4cffcf..32749db 100644
> --- a/drivers/input/touchscreen/zforce_ts.c
> +++ b/drivers/input/touchscreen/zforce_ts.c
> @@ -441,7 +441,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
> goto unlock;
> }
>
> - if (buf[PAYLOAD_LENGTH] == 0) {
> + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
> dev_err(&client->dev, "invalid payload length: %d\n",
> buf[PAYLOAD_LENGTH]);
> ret = -EIO;
> --
> 2.3.4
>
--
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
