Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 37ba3c35 authored by Hans de Goede's avatar Hans de Goede Committed by Jiri Kosina
Browse files

HID: intel_ish-hid: Move header size check to inside the loop 



With the headersize check outside of the loop, the second time through
the loop the: "payload_len = recv_msg->hdr.size;" statement may deref
recv_msg while it is pointing outside of our input buffer.

Move the headersize check to inside the loop to fix this.

Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 097b8f62

drivers/hid/intel-ish-hid/ishtp-hid-client.c

+10 −10
Original line number Diff line number Diff line
@@ -77,21 +77,21 @@ static void process_recv(struct ishtp_cl *hid_ishtp_cl, void *recv_buf, 
	struct ishtp_cl_data *client_data = hid_ishtp_cl->client_data;

	int curr_hid_dev = client_data->cur_hid_dev;



	if (data_len < sizeof(struct hostif_msg_hdr)) {

	payload = recv_buf + sizeof(struct hostif_msg_hdr);

	total_len = data_len;

	cur_pos = 0;



	do {

		if (cur_pos + sizeof(struct hostif_msg) > total_len) {

			dev_err(&client_data->cl_device->dev,

				"[hid-ish]: error, received %u which is less than data header %u\n",

				(unsigned int)data_len,

				(unsigned int)sizeof(struct hostif_msg_hdr));

			++client_data->bad_recv_cnt;

			ish_hw_reset(hid_ishtp_cl->dev);

		return;

			break;

		}



	payload = recv_buf + sizeof(struct hostif_msg_hdr);

	total_len = data_len;

	cur_pos = 0;



	do {

		recv_msg = (struct hostif_msg *)(recv_buf + cur_pos);

		payload_len = recv_msg->hdr.size;