projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dbf3c37)
Input: zforce - don't overwrite the stack
authorOleksij Rempel <[email protected]>
Mon, 13 Jul 2015 16:54:42 +0000 (09:54 -0700)
committerDmitry Torokhov <[email protected]>
Thu, 16 Jul 2015 17:47:30 +0000 (10:47 -0700)
If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we
will silently overwrite the stack.

Cc: [email protected]
Signed-off-by: Oleksij Rempel <[email protected]>
Signed-off-by: Dirk Behme <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
drivers/input/touchscreen/zforce_ts.c patch | blob | history

diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c
index f58a196521a9a99fc3d4838b86db7aba4b7aca02..80285c71786ee58a85d268adb20ad283a1fd54a9 100644 (file)
--- a/drivers/input/touchscreen/zforce_ts.c
+++ b/drivers/input/touchscreen/zforce_ts.c
@@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
                goto unlock;
        }
 
-       if (buf[PAYLOAD_LENGTH] == 0) {
+       if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
                dev_err(&client->dev, "invalid payload length: %d\n",
                        buf[PAYLOAD_LENGTH]);
                ret = -EIO;
John Crispins staging tree