Input: zforce - don't overwrite the stack

If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we will silently overwrite the stack. Cc: stable@vger.kernel.org Signed-off-by: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
author: Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com> 2015-07-13 16:54:42 (GMT)
committer: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2015-07-16 17:47:30 (GMT)
commit: 7d01cd261c76f95913c81554a751968a1d282d3a (patch)
tree: c7f498c293813cbe977df45047a21251aae0811e
parent: dbf3c370862d73fcd2c74ca55e254bb02143238d (diff)
download: linux-7d01cd261c76f95913c81554a751968a1d282d3a.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/input/touchscreen/zforce_ts.c b/drivers/input/touchscreen/zforce_ts.c
index f58a196..80285c7 100644
--- a/drivers/input/touchscreen/zforce_ts.c
+++ b/drivers/input/touchscreen/zforce_ts.c
@@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf)
 		goto unlock;
 	}
 
-	if (buf[PAYLOAD_LENGTH] == 0) {
+	if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
 		dev_err(&client->dev, "invalid payload length: %d\n",
 			buf[PAYLOAD_LENGTH]);
 		ret = -EIO;
author	Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com>	2015-07-13 16:54:42 (GMT)
committer	Dmitry Torokhov <dmitry.torokhov@gmail.com>	2015-07-16 17:47:30 (GMT)
commit	7d01cd261c76f95913c81554a751968a1d282d3a (patch)
tree	c7f498c293813cbe977df45047a21251aae0811e
parent	dbf3c370862d73fcd2c74ca55e254bb02143238d (diff)
download	linux-7d01cd261c76f95913c81554a751968a1d282d3a.tar.xz