Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7d01cd26 authored by Oleksij Rempel's avatar Oleksij Rempel Committed by Dmitry Torokhov
Browse files

Input: zforce - don't overwrite the stack 



If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we
will silently overwrite the stack.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarOleksij Rempel <external.Oleksij.Rempel@de.bosch.com>
Signed-off-by: default avatarDirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
parent dbf3c370

drivers/input/touchscreen/zforce_ts.c

+1 −1
Original line number Diff line number Diff line
@@ -429,7 +429,7 @@ static int zforce_read_packet(struct zforce_ts *ts, u8 *buf) 
		goto unlock;

	}



	if (buf[PAYLOAD_LENGTH] == 0) {

	if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {

		dev_err(&client->dev, "invalid payload length: %d\n",

			buf[PAYLOAD_LENGTH]);

		ret = -EIO;