Staging: hv: mousevsc: Add a check to prevent memory corruption
authorK. Y. Srinivasan <kys@microsoft.com>
Fri, 28 Oct 2011 22:11:27 +0000 (15:11 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Sun, 27 Nov 2011 01:00:01 +0000 (17:00 -0800)
Add a check to prevent memory corruption.

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/hv/hv_mouse.c

index 7c7449bb5cf1e41c729a01ae34c09c7754cf8fb6..c22f729155fc56211e1c6298475bf60caf37c521 100644 (file)
@@ -274,6 +274,18 @@ static void mousevsc_on_receive(struct hv_device *device,
 
        switch (hid_msg->header.type) {
        case SYNTH_HID_PROTOCOL_RESPONSE:
+               /*
+                * While it will be impossible for us to protect against
+                * malicious/buggy hypervisor/host, add a check here to
+                * ensure we don't corrupt memory.
+                */
+               if ((pipe_msg->size + sizeof(struct pipe_prt_msg)
+                       - sizeof(unsigned char))
+                       > sizeof(struct mousevsc_prt_msg)) {
+                       WARN_ON(1);
+                       break;
+               }
+
                memcpy(&input_dev->protocol_resp, pipe_msg,
                       pipe_msg->size + sizeof(struct pipe_prt_msg) -
                       sizeof(unsigned char));