Skip to content

Commit

Permalink
Input: zforce - don't overwrite the stack
Browse files Browse the repository at this point in the history 
If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we
will silently overwrite the stack.

Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com>
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
  • Loading branch information
Oleksij Rempel authored and Dmitry Torokhov committed Jul 16, 2015
1 parent dbf3c37 commit 7d01cd2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/input/touchscreen/zforce_ts.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
goto unlock;
}

if (buf[PAYLOAD_LENGTH] == 0) {
if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
dev_err(&client->dev, "invalid payload length: %d\n",
buf[PAYLOAD_LENGTH]);
ret = -EIO;
Expand Down

0 comments on commit 7d01cd2

Please sign in to comment.