diff options
author | K. Y. Srinivasan <kys@microsoft.com> | 2011-10-28 15:11:27 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-26 17:00:01 -0800 |
commit | 226383751ff3ce67a648653e8bfe0842f36bbf96 (patch) | |
tree | 9cdb2521e59e2fe1a23006ba07e07ae79cdf411d | |
parent | dba8e1ad957e19ab42c39808a502803dc5b2dee7 (diff) | |
download | op-kernel-dev-226383751ff3ce67a648653e8bfe0842f36bbf96.zip op-kernel-dev-226383751ff3ce67a648653e8bfe0842f36bbf96.tar.gz |
Staging: hv: mousevsc: Add a check to prevent memory corruption
Add a check to prevent memory corruption.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/hv/hv_mouse.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/staging/hv/hv_mouse.c b/drivers/staging/hv/hv_mouse.c index 7c7449b..c22f729 100644 --- a/drivers/staging/hv/hv_mouse.c +++ b/drivers/staging/hv/hv_mouse.c @@ -274,6 +274,18 @@ static void mousevsc_on_receive(struct hv_device *device, switch (hid_msg->header.type) { case SYNTH_HID_PROTOCOL_RESPONSE: + /* + * While it will be impossible for us to protect against + * malicious/buggy hypervisor/host, add a check here to + * ensure we don't corrupt memory. + */ + if ((pipe_msg->size + sizeof(struct pipe_prt_msg) + - sizeof(unsigned char)) + > sizeof(struct mousevsc_prt_msg)) { + WARN_ON(1); + break; + } + memcpy(&input_dev->protocol_resp, pipe_msg, pipe_msg->size + sizeof(struct pipe_prt_msg) - sizeof(unsigned char)); |