Input: zforce - don't overwrite the stack

If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we
will silently overwrite the stack.

Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com>
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
This commit is contained in:
Oleksij Rempel 2015-07-13 09:54:42 -07:00 committed by Dmitry Torokhov
parent dbf3c37086
commit 7d01cd261c
1 changed files with 1 additions and 1 deletions

View File

@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
goto unlock; goto unlock;
} }
if (buf[PAYLOAD_LENGTH] == 0) { if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
dev_err(&client->dev, "invalid payload length: %d\n", dev_err(&client->dev, "invalid payload length: %d\n",
buf[PAYLOAD_LENGTH]); buf[PAYLOAD_LENGTH]);
ret = -EIO; ret = -EIO;