evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: mdss: hdmi: check up-bound of CEC frame size

Browse source 
the spec says the frame size will not be greater than
14, but this have a security hole when somebody sends
a message with a size greater than 14. So need check
up-boud of the CEC frame size.

Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
This commit is contained in:
zhaoyuan 2017-02-20 13:42:20 +08:00 committed by Gerrit - the friendly Code Review server
parent 3bf75ddd22
commit d815f54f15
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/video/fbdev/msm/mdss_hdmi_cec.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
msg.sender_id, msg.recvr_id,
msg.frame_size);
if (msg.frame_size < 1) {
if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
DEV_ERR("%s: invalid message (frame length = %d)\n",
__func__, msg.frame_size);
return;
@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
msg.operand[i] = data & 0xFF;
}
for (; i < 14; i++)
for (; i < MAX_OPERAND_SIZE; i++)
msg.operand[i] = 0;
DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,