diff options
author | Hans de Goede <hdegoede@redhat.com> | 2018-04-14 17:06:44 +0200 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2018-04-25 10:52:42 +0200 |
commit | 37ba3c350e64adcbdd483e81bf194c05d9573515 (patch) | |
tree | 250ee87fd3a8c4f1829a17fb74ed79709be6a510 /drivers/hid | |
parent | 097b8f62dd793e08f1732fc74dbb64596c7fbff9 (diff) |
HID: intel_ish-hid: Move header size check to inside the loop
With the headersize check outside of the loop, the second time through
the loop the: "payload_len = recv_msg->hdr.size;" statement may deref
recv_msg while it is pointing outside of our input buffer.
Move the headersize check to inside the loop to fix this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid')
-rw-r--r-- | drivers/hid/intel-ish-hid/ishtp-hid-client.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c index 157b44aacdff..6ce1856bb368 100644 --- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c +++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c @@ -77,21 +77,21 @@ static void process_recv(struct ishtp_cl *hid_ishtp_cl, void *recv_buf, struct ishtp_cl_data *client_data = hid_ishtp_cl->client_data; int curr_hid_dev = client_data->cur_hid_dev; - if (data_len < sizeof(struct hostif_msg_hdr)) { - dev_err(&client_data->cl_device->dev, - "[hid-ish]: error, received %u which is less than data header %u\n", - (unsigned int)data_len, - (unsigned int)sizeof(struct hostif_msg_hdr)); - ++client_data->bad_recv_cnt; - ish_hw_reset(hid_ishtp_cl->dev); - return; - } - payload = recv_buf + sizeof(struct hostif_msg_hdr); total_len = data_len; cur_pos = 0; do { + if (cur_pos + sizeof(struct hostif_msg) > total_len) { + dev_err(&client_data->cl_device->dev, + "[hid-ish]: error, received %u which is less than data header %u\n", + (unsigned int)data_len, + (unsigned int)sizeof(struct hostif_msg_hdr)); + ++client_data->bad_recv_cnt; + ish_hw_reset(hid_ishtp_cl->dev); + break; + } + recv_msg = (struct hostif_msg *)(recv_buf + cur_pos); payload_len = recv_msg->hdr.size; |