From 37ba3c350e64adcbdd483e81bf194c05d9573515 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Sat, 14 Apr 2018 17:06:44 +0200 Subject: [PATCH] HID: intel_ish-hid: Move header size check to inside the loop With the headersize check outside of the loop, the second time through the loop the: "payload_len = recv_msg->hdr.size;" statement may deref recv_msg while it is pointing outside of our input buffer. Move the headersize check to inside the loop to fix this. Signed-off-by: Hans de Goede Reviewed-by: Benjamin Tissoires Acked-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina --- drivers/hid/intel-ish-hid/ishtp-hid-client.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/hid/intel-ish-hid/ishtp-hid-client.c b/drivers/hid/intel-ish-hid/ishtp-hid-client.c index 157b44aacdff..6ce1856bb368 100644 --- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c +++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c @@ -77,21 +77,21 @@ static void process_recv(struct ishtp_cl *hid_ishtp_cl, void *recv_buf, struct ishtp_cl_data *client_data = hid_ishtp_cl->client_data; int curr_hid_dev = client_data->cur_hid_dev; - if (data_len < sizeof(struct hostif_msg_hdr)) { - dev_err(&client_data->cl_device->dev, - "[hid-ish]: error, received %u which is less than data header %u\n", - (unsigned int)data_len, - (unsigned int)sizeof(struct hostif_msg_hdr)); - ++client_data->bad_recv_cnt; - ish_hw_reset(hid_ishtp_cl->dev); - return; - } - payload = recv_buf + sizeof(struct hostif_msg_hdr); total_len = data_len; cur_pos = 0; do { + if (cur_pos + sizeof(struct hostif_msg) > total_len) { + dev_err(&client_data->cl_device->dev, + "[hid-ish]: error, received %u which is less than data header %u\n", + (unsigned int)data_len, + (unsigned int)sizeof(struct hostif_msg_hdr)); + ++client_data->bad_recv_cnt; + ish_hw_reset(hid_ishtp_cl->dev); + break; + } + recv_msg = (struct hostif_msg *)(recv_buf + cur_pos); payload_len = recv_msg->hdr.size;