Staging: hv: mousevsc: Add a check to prevent memory corruption

author K. Y. Srinivasan <kys@microsoft.com>

Fri, 28 Oct 2011 22:11:27 +0000 (15:11 -0700)

committer Greg Kroah-Hartman <gregkh@suse.de>

Sun, 27 Nov 2011 01:00:01 +0000 (17:00 -0800)
author K. Y. Srinivasan <kys@microsoft.com>
Fri, 28 Oct 2011 22:11:27 +0000 (15:11 -0700)
committer Greg Kroah-Hartman <gregkh@suse.de>
Sun, 27 Nov 2011 01:00:01 +0000 (17:00 -0800)
diff --git a/drivers/staging/hv/hv_mouse.c b/drivers/staging/hv/hv_mouse.c

index 7c7449bb5cf1e41c729a01ae34c09c7754cf8fb6..c22f729155fc56211e1c6298475bf60caf37c521 100644 (file)
--- a/drivers/staging/hv/hv_mouse.c
+++ b/drivers/staging/hv/hv_mouse.c
@@ -274,6 +274,18 @@ static void mousevsc_on_receive(struct hv_device *device,
  
         switch (hid_msg->header.type) {
         case SYNTH_HID_PROTOCOL_RESPONSE:
+               /*
+                * While it will be impossible for us to protect against
+                * malicious/buggy hypervisor/host, add a check here to
+                * ensure we don't corrupt memory.
+                */
+               if ((pipe_msg->size + sizeof(struct pipe_prt_msg)
+                       - sizeof(unsigned char))
+                       > sizeof(struct mousevsc_prt_msg)) {
+                       WARN_ON(1);
+                       break;
+               }
+
                 memcpy(&input_dev->protocol_resp, pipe_msg,
                        pipe_msg->size + sizeof(struct pipe_prt_msg) -
                        sizeof(unsigned char));
author	K. Y. Srinivasan <kys@microsoft.com>
	Fri, 28 Oct 2011 22:11:27 +0000 (15:11 -0700)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Sun, 27 Nov 2011 01:00:01 +0000 (17:00 -0800)