| Message ID | 1436791512-21027-1-git-send-email-dirk.behme@de.bosch.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Jul 13, 2015 at 02:45:12PM +0200, Dirk Behme wrote: > From: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> > > If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we > will silently overwrite the stack. > > Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> > Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> Applied, thank you. > --- > drivers/input/touchscreen/zforce_ts.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c > index c4cffcf..32749db 100644 > --- a/drivers/input/touchscreen/zforce_ts.c > +++ b/drivers/input/touchscreen/zforce_ts.c > @@ -441,7 +441,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf) > goto unlock; > } > > - if (buf[PAYLOAD_LENGTH] == 0) { > + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) { > dev_err(&client->dev, "invalid payload length: %d\n", > buf[PAYLOAD_LENGTH]); > ret = -EIO; > -- > 2.3.4 >
diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c index c4cffcf..32749db 100644 --- a/drivers/input/touchscreen/zforce_ts.c +++ b/drivers/input/touchscreen/zforce_ts.c @@ -441,7 +441,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf) goto unlock; } - if (buf[PAYLOAD_LENGTH] == 0) { + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) { dev_err(&client->dev, "invalid payload length: %d\n", buf[PAYLOAD_LENGTH]); ret = -EIO;