Re: [PATCH 1/2] HID: intel_ish-hid: Move header size check to inside the loop

Srinivas Pandruvada <srinivas.pandruvada@xxxxxxxxxxxxxxx> · Thu, 19 Apr 2018 05:00:45 -0700



On Sat, 2018-04-14 at 17:06 +0200, Hans de Goede wrote:
> With the headersize check outside of the loop, the second time
> through
> the loop the: "payload_len = recv_msg->hdr.size;" statement may deref
> recv_msg while it is pointing outside of our input buffer.
> 
> Move the headersize check to inside the loop to fix this.
> 
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@xxxxxxxxxxxxxxx>

> ---
>  drivers/hid/intel-ish-hid/ishtp-hid-client.c | 20 ++++++++++------
> ----
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c
> b/drivers/hid/intel-ish-hid/ishtp-hid-client.c
> index 157b44aacdff..6ce1856bb368 100644
> --- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c
> +++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c
> @@ -77,21 +77,21 @@ static void process_recv(struct ishtp_cl
> *hid_ishtp_cl, void *recv_buf,
>  	struct ishtp_cl_data *client_data = hid_ishtp_cl-
> >client_data;
>  	int curr_hid_dev = client_data->cur_hid_dev;
>  
> -	if (data_len < sizeof(struct hostif_msg_hdr)) {
> -		dev_err(&client_data->cl_device->dev,
> -			"[hid-ish]: error, received %u which is less
> than data header %u\n",
> -			(unsigned int)data_len,
> -			(unsigned int)sizeof(struct
> hostif_msg_hdr));
> -		++client_data->bad_recv_cnt;
> -		ish_hw_reset(hid_ishtp_cl->dev);
> -		return;
> -	}
> -
>  	payload = recv_buf + sizeof(struct hostif_msg_hdr);
>  	total_len = data_len;
>  	cur_pos = 0;
>  
>  	do {
> +		if (cur_pos + sizeof(struct hostif_msg) > total_len)
> {
> +			dev_err(&client_data->cl_device->dev,
> +				"[hid-ish]: error, received %u which
> is less than data header %u\n",
> +				(unsigned int)data_len,
> +				(unsigned int)sizeof(struct
> hostif_msg_hdr));
> +			++client_data->bad_recv_cnt;
> +			ish_hw_reset(hid_ishtp_cl->dev);
> +			break;
> +		}
> +
>  		recv_msg = (struct hostif_msg *)(recv_buf +
> cur_pos);
>  		payload_len = recv_msg->hdr.size;
>  
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html