From a491499c3490999555b7ccf8ad1a7d6455625807 Mon Sep 17 00:00:00 2001 From: zhaoyuan Date: Mon, 20 Feb 2017 13:42:20 +0800 Subject: msm: mdss: hdmi: check up-bound of CEC frame size the spec says the frame size will not be greater than 14, but this have a security hole when somebody sends a message with a size greater than 14. So need check up-boud of the CEC frame size. Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f Signed-off-by: zhaoyuan --- drivers/video/msm/mdss/mdss_hdmi_cec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/msm/mdss/mdss_hdmi_cec.c b/drivers/video/msm/mdss/mdss_hdmi_cec.c index a424d98..a4ed012 100644 --- a/drivers/video/msm/mdss/mdss_hdmi_cec.c +++ b/drivers/video/msm/mdss/mdss_hdmi_cec.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work) msg.sender_id, msg.recvr_id, msg.frame_size); - if (msg.frame_size < 1) { + if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) { DEV_ERR("%s: invalid message (frame length = %d)\n", __func__, msg.frame_size); return; @@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work) msg.operand[i] = data & 0xFF; } - for (; i < 14; i++) + for (; i < MAX_OPERAND_SIZE; i++) msg.operand[i] = 0; DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__, -- cgit v1.1