From: Oleksij Rempel Date: Mon, 13 Jul 2015 16:54:42 +0000 (-0700) Subject: Input: zforce - don't overwrite the stack X-Git-Tag: firefly_0821_release~176^2~541^2~58 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7d01cd261c76f95913c81554a751968a1d282d3a;p=firefly-linux-kernel-4.4.55.git Input: zforce - don't overwrite the stack If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we will silently overwrite the stack. Cc: stable@vger.kernel.org Signed-off-by: Oleksij Rempel Signed-off-by: Dirk Behme Signed-off-by: Dmitry Torokhov --- diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c index f58a196521a9..80285c71786e 100644 --- a/drivers/input/touchscreen/zforce_ts.c +++ b/drivers/input/touchscreen/zforce_ts.c @@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf) goto unlock; } - if (buf[PAYLOAD_LENGTH] == 0) { + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) { dev_err(&client->dev, "invalid payload length: %d\n", buf[PAYLOAD_LENGTH]); ret = -EIO;