From: David Binder <david.binder@unisys.com>
Date: Wed, 1 Feb 2017 22:38:55 +0000 (-0500)
Subject: staging: unisys: visorbus: Check controlvm message payload size
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=308ee8aa1fd28102d078431a199106bc47d10128;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git

staging: unisys: visorbus: Check controlvm message payload size

Checks the controlvm message's payload size before copying it into a
parser_context struct's name region.

Signed-off-by: David Binder <david.binder@unisys.com>
Signed-off-by: David Kershner <david.kershner@unisys.com>
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/unisys/visorbus/visorchipset.c b/drivers/staging/unisys/visorbus/visorchipset.c
index 4e630ea527e8..df2dfeb14027 100644
--- a/drivers/staging/unisys/visorbus/visorchipset.c
+++ b/drivers/staging/unisys/visorbus/visorchipset.c
@@ -399,6 +399,10 @@ parser_name_get(struct parser_context *ctx)
 	struct spar_controlvm_parameters_header *phdr = NULL;
 
 	phdr = (struct spar_controlvm_parameters_header *)(ctx->data);
+
+	if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
+		return NULL;
+
 	ctx->curr = ctx->data + phdr->name_offset;
 	ctx->bytes_remaining = phdr->name_length;
 	return parser_string_get(ctx);