Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a46d3886 authored by raghavendra ambadas's avatar raghavendra ambadas Committed by Nirmal Abraham
Browse files

fbdev: msm: check the length of the external input buffer properly 



dchdr->dlen is a short variable controlled by the user-provided data.
If the value is negative, loop continues, also increasing the value
of "len". As a result buffer overflow occurs. So define the len as
unsigned and check with length of string input from user space.

Change-Id: I8bb9ab33d543c826eb330e16ae116385d823ca98
Signed-off-by: default avatarraghavendra ambadas <rambad@codeaurora.org>
parent 4ded928c

drivers/video/fbdev/msm/mdss_dsi.c

+4 −3
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1015,7 +1015,8 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)

{

	struct buf_data *pcmds = file->private_data;

	int blen, len, i;

	unsigned int len;

	int blen, i;

	char *buf, *bufp, *bp;

	struct dsi_ctrl_hdr *dchdr;
@@ -1059,7 +1060,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id) 
	while (len >= sizeof(*dchdr)) {

		dchdr = (struct dsi_ctrl_hdr *)bp;

		dchdr->dlen = ntohs(dchdr->dlen);

		if (dchdr->dlen > len || dchdr->dlen < 0) {

		if (dchdr->dlen > (len - sizeof(*dchdr)) || dchdr->dlen < 0) {

			pr_err("%s: dtsi cmd=%x error, len=%d\n",

				__func__, dchdr->dtype, dchdr->dlen);

			kfree(buf);