Staging: hv: mousevsc: Add a check to prevent memory corruption

Add a check to prevent memory corruption. Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: K. Y. Srinivasan <kys@microsoft.com> 2011-10-28 15:11:27 -0700
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-11-26 17:00:01 -0800
commit: 226383751ff3ce67a648653e8bfe0842f36bbf96 (patch)
tree: 9cdb2521e59e2fe1a23006ba07e07ae79cdf411d /drivers/staging/hv
parent: dba8e1ad957e19ab42c39808a502803dc5b2dee7 (diff)
download: op-kernel-dev-226383751ff3ce67a648653e8bfe0842f36bbf96.zip
op-kernel-dev-226383751ff3ce67a648653e8bfe0842f36bbf96.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/staging/hv/hv_mouse.c b/drivers/staging/hv/hv_mouse.c
index 7c7449b..c22f729 100644
--- a/drivers/staging/hv/hv_mouse.c
+++ b/drivers/staging/hv/hv_mouse.c
@@ -274,6 +274,18 @@ static void mousevsc_on_receive(struct hv_device *device,
 
 	switch (hid_msg->header.type) {
 	case SYNTH_HID_PROTOCOL_RESPONSE:
+		/*
+		 * While it will be impossible for us to protect against
+		 * malicious/buggy hypervisor/host, add a check here to
+		 * ensure we don't corrupt memory.
+		 */
+		if ((pipe_msg->size + sizeof(struct pipe_prt_msg)
+			- sizeof(unsigned char))
+			> sizeof(struct mousevsc_prt_msg)) {
+			WARN_ON(1);
+			break;
+		}
+
 		memcpy(&input_dev->protocol_resp, pipe_msg,
 		       pipe_msg->size + sizeof(struct pipe_prt_msg) -
 		       sizeof(unsigned char));
author	K. Y. Srinivasan <kys@microsoft.com>	2011-10-28 15:11:27 -0700
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-11-26 17:00:01 -0800
commit	226383751ff3ce67a648653e8bfe0842f36bbf96 (patch)
tree	9cdb2521e59e2fe1a23006ba07e07ae79cdf411d /drivers/staging/hv
parent	dba8e1ad957e19ab42c39808a502803dc5b2dee7 (diff)
download	op-kernel-dev-226383751ff3ce67a648653e8bfe0842f36bbf96.zip op-kernel-dev-226383751ff3ce67a648653e8bfe0842f36bbf96.tar.gz