4.1-stable review patch. If anyone has any objections, please let me know.
------------------ From: Oleksij Rempel <external.oleksij.rem...@de.bosch.com> commit 7d01cd261c76f95913c81554a751968a1d282d3a upstream. If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we will silently overwrite the stack. Signed-off-by: Oleksij Rempel <external.oleksij.rem...@de.bosch.com> Signed-off-by: Dirk Behme <dirk.be...@de.bosch.com> Signed-off-by: Dmitry Torokhov <dmitry.torok...@gmail.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> --- drivers/input/touchscreen/zforce_ts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/input/touchscreen/zforce_ts.c +++ b/drivers/input/touchscreen/zforce_ts.c @@ -430,7 +430,7 @@ static int zforce_read_packet(struct zfo goto unlock; } - if (buf[PAYLOAD_LENGTH] == 0) { + if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) { dev_err(&client->dev, "invalid payload length: %d\n", buf[PAYLOAD_LENGTH]); ret = -EIO; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/