Message ID | 1440713521-5906-17-git-send-email-kamal@canonical.com |
---|---|
State | New |
Headers | show |
On August 27, 2015 3:10:07 PM PDT, Kamal Mostafa <kamal@canonical.com> wrote: >3.19.8-ckt6 -stable review patch. If anyone has any objections, please >let me know. Bad patch, reverted in mainline, please drop. > >------------------ > >From: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> > >commit 7d01cd261c76f95913c81554a751968a1d282d3a upstream. > >If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we >will silently overwrite the stack. > >Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> >Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> >Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> >Signed-off-by: Kamal Mostafa <kamal@canonical.com> >--- > drivers/input/touchscreen/zforce_ts.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/input/touchscreen/zforce_ts.c >b/drivers/input/touchscreen/zforce_ts.c >index 19880c7..a9e1ee3 100644 >--- a/drivers/input/touchscreen/zforce_ts.c >+++ b/drivers/input/touchscreen/zforce_ts.c >@@ -430,7 +430,7 @@ static int zforce_read_packet(struct zforce_ts *ts, >u8 *buf) > goto unlock; > } > >- if (buf[PAYLOAD_LENGTH] == 0) { >+ if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) >{ > dev_err(&client->dev, "invalid payload length: %d\n", > buf[PAYLOAD_LENGTH]); > ret = -EIO; Thanks.
On Thu, 2015-08-27 at 15:24 -0700, Dmitry Torokhov wrote: > On August 27, 2015 3:10:07 PM PDT, Kamal Mostafa <kamal@canonical.com> wrote: > >3.19.8-ckt6 -stable review patch. If anyone has any objections, please > >let me know. > > Bad patch, reverted in mainline, please drop. OK, dropped from 3.19-stable. Thanks Dmitry! -Kamal > > > >------------------ > > > >From: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> > > > >commit 7d01cd261c76f95913c81554a751968a1d282d3a upstream. > > > >If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we > >will silently overwrite the stack. > > > >Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> > >Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> > >Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> > >Signed-off-by: Kamal Mostafa <kamal@canonical.com> > >--- > > drivers/input/touchscreen/zforce_ts.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > >diff --git a/drivers/input/touchscreen/zforce_ts.c > >b/drivers/input/touchscreen/zforce_ts.c > >index 19880c7..a9e1ee3 100644 > >--- a/drivers/input/touchscreen/zforce_ts.c > >+++ b/drivers/input/touchscreen/zforce_ts.c > >@@ -430,7 +430,7 @@ static int zforce_read_packet(struct zforce_ts *ts, > >u8 *buf) > > goto unlock; > > } > > > >- if (buf[PAYLOAD_LENGTH] == 0) { > >+ if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) > >{ > > dev_err(&client->dev, "invalid payload length: %d\n", > > buf[PAYLOAD_LENGTH]); > > ret = -EIO; > > > Thanks. >
diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c index 19880c7..a9e1ee3 100644 --- a/drivers/input/touchscreen/zforce_ts.c +++ b/drivers/input/touchscreen/zforce_ts.c @@ -430,7 +430,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf) goto unlock; } - if (buf[PAYLOAD_LENGTH] == 0) { + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) { dev_err(&client->dev, "invalid payload length: %d\n", buf[PAYLOAD_LENGTH]); ret = -EIO;