greybus: gpio: fix null-deref on short irq requests
authorJohan Hovold <johan@hovoldconsulting.com>
Fri, 27 Mar 2015 11:45:41 +0000 (12:45 +0100)
committerGreg Kroah-Hartman <greg@kroah.com>
Mon, 30 Mar 2015 13:17:37 +0000 (15:17 +0200)
Make sure to verify the length of incoming requests before trying to
parse the request buffer, which can even be NULL on empty requests.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
drivers/staging/greybus/gpio.c

index 2bac28ec7f853d37919c9a1048708d63ab6f085a..7dc675d7bd5ba05bb9dd5706ce11c6824258fe33 100644 (file)
@@ -413,6 +413,12 @@ static void gb_gpio_request_recv(u8 type, struct gb_operation *op)
        ggc = connection->private;
 
        request = op->request;
+
+       if (request->payload_size < sizeof(*event)) {
+               dev_err(ggc->chip.dev, "short event received\n");
+               return;
+       }
+
        event = request->payload;
        if (event->which > ggc->line_max) {
                dev_err(ggc->chip.dev, "invalid hw irq: %d\n", event->which);