diff options
| author | zhaoyuan <yzhao@codeaurora.org> | 2017-02-20 13:42:20 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-02-27 16:55:25 -0800 |
| commit | d815f54f15d765b5e0035a9d208d71567bcaace0 (patch) | |
| tree | 90d922e5e2f0d86ed54319406f05887999764423 /drivers/video | |
| parent | 3bf75ddd22dc6e7303e962a262c8d64e5ab87b15 (diff) | |
msm: mdss: hdmi: check up-bound of CEC frame size
the spec says the frame size will not be greater than
14, but this have a security hole when somebody sends
a message with a size greater than 14. So need check
up-boud of the CEC frame size.
Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
Diffstat (limited to 'drivers/video')
| -rw-r--r-- | drivers/video/fbdev/msm/mdss_hdmi_cec.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/video/fbdev/msm/mdss_hdmi_cec.c b/drivers/video/fbdev/msm/mdss_hdmi_cec.c index a424d987bb63..a4ed01210e04 100644 --- a/drivers/video/fbdev/msm/mdss_hdmi_cec.c +++ b/drivers/video/fbdev/msm/mdss_hdmi_cec.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work) msg.sender_id, msg.recvr_id, msg.frame_size); - if (msg.frame_size < 1) { + if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) { DEV_ERR("%s: invalid message (frame length = %d)\n", __func__, msg.frame_size); return; @@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work) msg.operand[i] = data & 0xFF; } - for (; i < 14; i++) + for (; i < MAX_OPERAND_SIZE; i++) msg.operand[i] = 0; DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__, |