diff options
| author |   Pali Rohár <pali.rohar@gmail.com> | 2014-09-29 15:10:51 +0200 |
|---|---|---|
| committer |   Darren Hart <dvhart@linux.intel.com> | 2014-09-29 14:54:27 -0700 |
| commit | a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959 (patch) | |
| tree | e185e11600a42879f790594f44c76ef39036005c /drivers/platform | |
| parent | eeepc-laptop: clean up control flow in *_rfkill_notifier (diff) | |
| download | linux-dev-a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959.tar.xz linux-dev-a666b6ffbc9b6705a3ced704f52c3fe9ea8bf959.zip | |
dell-wmi: Fix access out of memory
Without this patch, dell-wmi is trying to access elements of dynamically
allocated array without checking the array size. This can lead to memory
corruption or a kernel panic. This patch adds the missing checks for
array size.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Diffstat (limited to 'drivers/platform')
| -rw-r--r-- | drivers/platform/x86/dell-wmi.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c index 390e8e33d5e3..25721bf20092 100644 --- a/drivers/platform/x86/dell-wmi.c +++ b/drivers/platform/x86/dell-wmi.c @@ -163,18 +163,24 @@ static void dell_wmi_notify(u32 value, void *context) const struct key_entry *key; int reported_key; u16 *buffer_entry = (u16 *)obj->buffer.pointer; + int buffer_size = obj->buffer.length/2; - if (dell_new_hk_type && (buffer_entry[1] != 0x10)) { + if (buffer_size >= 2 && dell_new_hk_type && buffer_entry[1] != 0x10) { pr_info("Received unknown WMI event (0x%x)\n", buffer_entry[1]); kfree(obj); return; } - if (dell_new_hk_type || buffer_entry[1] == 0x0) + if (buffer_size >= 3 && (dell_new_hk_type || buffer_entry[1] == 0x0)) reported_key = (int)buffer_entry[2]; - else + else if (buffer_size >= 2) reported_key = (int)buffer_entry[1] & 0xffff; + else { + pr_info("Received unknown WMI event\n"); + kfree(obj); + return; + } key = sparse_keymap_entry_from_scancode(dell_wmi_input_dev, reported_key); |