Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2994289AbbHHWiL (ORCPT ); Sat, 8 Aug 2015 18:38:11 -0400 Received: from mail-pa0-f53.google.com ([209.85.220.53]:36740 "EHLO mail-pa0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2992824AbbHHWiE (ORCPT ); Sat, 8 Aug 2015 18:38:04 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <20150808220720.450038366@linuxfoundation.org> References: <20150808220717.771230091@linuxfoundation.org> <20150808220720.450038366@linuxfoundation.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Re: [PATCH 4.1 076/123] Input: zforce - dont overwrite the stack From: Dmitry Torokhov Date: Sat, 08 Aug 2015 15:37:57 -0700 To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org CC: stable@vger.kernel.org, Oleksij Rempel , Dirk Behme Message-ID: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1507 Lines: 50 Hi Greg, On August 8, 2015 3:09:14 PM PDT, Greg Kroah-Hartman wrote: >4.1-stable review patch. If anyone has any objections, please let me >know. This was a bad patch and its reverted n mainline, please drop. > >------------------ > >From: Oleksij Rempel > >commit 7d01cd261c76f95913c81554a751968a1d282d3a upstream. > >If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we >will silently overwrite the stack. > >Signed-off-by: Oleksij Rempel >Signed-off-by: Dirk Behme >Signed-off-by: Dmitry Torokhov >Signed-off-by: Greg Kroah-Hartman > >--- > drivers/input/touchscreen/zforce_ts.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >--- a/drivers/input/touchscreen/zforce_ts.c >+++ b/drivers/input/touchscreen/zforce_ts.c >@@ -430,7 +430,7 @@ static int zforce_read_packet(struct zfo > goto unlock; > } > >- if (buf[PAYLOAD_LENGTH] == 0) { >+ if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) >{ > dev_err(&client->dev, "invalid payload length: %d\n", > buf[PAYLOAD_LENGTH]); > ret = -EIO; Thanks. -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/