fbdev: msm: check the length of the external input buffer properly
dchdr->dlen is a short variable controlled by the user-provided data. If the value is negative, loop continues, also increasing the value of "len". As a result buffer overflow occurs. So define the len as unsigned and check with length of string input from user space. Change-Id: I8bb9ab33d543c826eb330e16ae116385d823ca98 Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
This commit is contained in:
parent
cb746f47d4
commit
ddea3574a6
|
@ -1,4 +1,4 @@
|
|||
/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
|
||||
/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
|
@ -855,7 +855,8 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p,
|
|||
static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
|
||||
{
|
||||
struct buf_data *pcmds = file->private_data;
|
||||
int blen, len, i;
|
||||
unsigned int len;
|
||||
int blen, i;
|
||||
char *buf, *bufp, *bp;
|
||||
struct dsi_ctrl_hdr *dchdr;
|
||||
|
||||
|
@ -898,7 +899,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)
|
|||
while (len >= sizeof(*dchdr)) {
|
||||
dchdr = (struct dsi_ctrl_hdr *)bp;
|
||||
dchdr->dlen = ntohs(dchdr->dlen);
|
||||
if (dchdr->dlen > len || dchdr->dlen < 0) {
|
||||
if (dchdr->dlen > (len - sizeof(*dchdr)) || dchdr->dlen < 0) {
|
||||
pr_err("%s: dtsi cmd=%x error, len=%d\n",
|
||||
__func__, dchdr->dtype, dchdr->dlen);
|
||||
kfree(buf);
|
||||
|
|
Loading…
Reference in New Issue