diff options
author | Oleksij Rempel | 2015-07-13 09:54:42 -0700 |
---|---|---|
committer | Dmitry Torokhov | 2015-07-16 10:47:30 -0700 |
commit | 7d01cd261c76f95913c81554a751968a1d282d3a (patch) | |
tree | c7f498c293813cbe977df45047a21251aae0811e /drivers/input | |
parent | dbf3c370862d73fcd2c74ca55e254bb02143238d (diff) |
Input: zforce - don't overwrite the stack
If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we
will silently overwrite the stack.
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com>
Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Diffstat (limited to 'drivers/input')
-rw-r--r-- | drivers/input/touchscreen/zforce_ts.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c index f58a196521a9..80285c71786e 100644 --- a/drivers/input/touchscreen/zforce_ts.c +++ b/drivers/input/touchscreen/zforce_ts.c @@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf) goto unlock; } - if (buf[PAYLOAD_LENGTH] == 0) { + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) { dev_err(&client->dev, "invalid payload length: %d\n", buf[PAYLOAD_LENGTH]); ret = -EIO; |