Commit 1473ba27 authored Sep 14, 2017 by Ashish Garg Committed by raghavendra ambadas Sep 26, 2017

msm: mdss: check the length of the external input buffer properly



dchdr->dlen is a short variable controlled by the user-provided data
(a string). If the value is negative, the condition does not pass
and loop continues, also increasing the value of "len". As a result
buffer overflow and overwrite occurs.

Change-Id: I5eacec446c9a8b5b82fc3bc6d1281303f336d4de
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>

parent 1517368c

drivers/video/msm/mdss/mdss_dsi.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -953,7 +953,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
		while (len >= sizeof(*dchdr)) {
		dchdr = (struct dsi_ctrl_hdr *)bp;
		dchdr->dlen = ntohs(dchdr->dlen);
		if (dchdr->dlen > len) {
		if (dchdr->dlen > len \|\| dchdr->dlen < 0) {
		pr_err("%s: dtsi cmd=%x error, len=%d\n",
		__func__, dchdr->dtype, dchdr->dlen);
		kfree(buf);