Input: zforce - don't overwrite the stack

If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we will silently overwrite the stack. Cc: stable@vger.kernel.org Signed-off-by: N Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> Signed-off-by: N Dirk Behme <dirk.behme@de.bosch.com> Signed-off-by: N Dmitry Torokhov <dmitry.torokhov@gmail.com>

Input: zforce - don't overwrite the stack
If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we will silently overwrite the stack. Cc: stable@vger.kernel.org Signed-off-by: N Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> Signed-off-by: N Dirk Behme <dirk.behme@de.bosch.com> Signed-off-by: N Dmitry Torokhov <dmitry.torokhov@gmail.com>
7d01cd26 · Oleksij Rempel · Dmitry Torokhov · dbf3c370 · 7d01cd26
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/input/touchscreen/zforce_ts.c drivers/input/touchscreen/zforce_ts.c +1 -1

未找到文件。
--- a/drivers/input/touchscreen/zforce_ts.c
+++ b/drivers/input/touchscreen/zforce_ts.c
@@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
 		goto unlock;
 	}

-	if (buf[PAYLOAD_LENGTH] == 0) {
+	if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
 		dev_err(&client->dev, "invalid payload length: %d\n",
 			buf[PAYLOAD_LENGTH]);
 		ret = -EIO;