Input: zforce - don't overwrite the stack
If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we will silently overwrite the stack. Cc: stable@vger.kernel.org Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
This commit is contained in:
parent
dbf3c37086
commit
7d01cd261c
|
@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
|
||||||
goto unlock;
|
goto unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (buf[PAYLOAD_LENGTH] == 0) {
|
if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
|
||||||
dev_err(&client->dev, "invalid payload length: %d\n",
|
dev_err(&client->dev, "invalid payload length: %d\n",
|
||||||
buf[PAYLOAD_LENGTH]);
|
buf[PAYLOAD_LENGTH]);
|
||||||
ret = -EIO;
|
ret = -EIO;
|
||||||
|
|
Loading…
Reference in New Issue