On Thu, 2015-08-27 at 15:24 -0700, Dmitry Torokhov wrote: > On August 27, 2015 3:10:07 PM PDT, Kamal Mostafa <[email protected]> wrote: > >3.19.8-ckt6 -stable review patch. If anyone has any objections, please > >let me know. > > Bad patch, reverted in mainline, please drop.
OK, dropped from 3.19-stable. Thanks Dmitry! -Kamal > > > >------------------ > > > >From: Oleksij Rempel <[email protected]> > > > >commit 7d01cd261c76f95913c81554a751968a1d282d3a upstream. > > > >If we get a corrupted packet with PAYLOAD_LENGTH > FRAME_MAXSIZE, we > >will silently overwrite the stack. > > > >Signed-off-by: Oleksij Rempel <[email protected]> > >Signed-off-by: Dirk Behme <[email protected]> > >Signed-off-by: Dmitry Torokhov <[email protected]> > >Signed-off-by: Kamal Mostafa <[email protected]> > >--- > > drivers/input/touchscreen/zforce_ts.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > >diff --git a/drivers/input/touchscreen/zforce_ts.c > >b/drivers/input/touchscreen/zforce_ts.c > >index 19880c7..a9e1ee3 100644 > >--- a/drivers/input/touchscreen/zforce_ts.c > >+++ b/drivers/input/touchscreen/zforce_ts.c > >@@ -430,7 +430,7 @@ static int zforce_read_packet(struct zforce_ts *ts, > >u8 *buf) > > goto unlock; > > } > > > >- if (buf[PAYLOAD_LENGTH] == 0) { > >+ if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) > >{ > > dev_err(&client->dev, "invalid payload length: %d\n", > > buf[PAYLOAD_LENGTH]); > > ret = -EIO; > > > Thanks. > -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
