msm: mdss: check the length of the external input buffer properly
dchdr->dlen is a short variable controlled by the user-provided data (a string). If the value is negative, the condition does not pass and loop continues, also increasing the value of "len". As a result buffer overflow and overwrite occurs. Change-Id: I5eacec446c9a8b5b82fc3bc6d1281303f336d4de Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
This commit is contained in:
parent
f48ed0afc6
commit
b26399f539
|
@ -858,7 +858,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
|
|||
while (len >= sizeof(*dchdr)) {
|
||||
dchdr = (struct dsi_ctrl_hdr *)bp;
|
||||
dchdr->dlen = ntohs(dchdr->dlen);
|
||||
if (dchdr->dlen > len) {
|
||||
if (dchdr->dlen > len || dchdr->dlen < 0) {
|
||||
pr_err("%s: dtsi cmd=%x error, len=%d\n",
|
||||
__func__, dchdr->dtype, dchdr->dlen);
|
||||
kfree(buf);
|
||||
|
|
Loading…
Reference in New Issue