drivers:misc:ti-st: protect against bad packets

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We encounter situations where we got bad packet type from the
UART (probably due to platform problem or UART driver issues)
which caused us out of boundary array access,
which eventually led to kernel panic.

Signed-off-by: Amir Ayun <amira@ti.com>
Signed-off-by: Pavan Savoy <pavan_savoy@ti.com>
Signed-off-by: Leonid Iziumtsev <x0153368@ti.com>
Signed-off-by: Gigi Joseph <gigi.joseph@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Gigi Joseph and committed by

Greg Kroah-Hartman 11 years ago 0ec0cf19 868eba8e

+18 -6

1 changed file

expand all

drivers

misc

ti-st

st_core.c

+18 -6

drivers/misc/ti-st/st_core.c

··· 343 343 /* Unknow packet? */ 344 344 default: 345 345 type = *ptr; 346 - if (st_gdata->list[type] == NULL) { 347 - pr_err("chip/interface misbehavior dropping" 348 - " frame starting with 0x%02x", type); 349 - goto done; 350 346 347 + /* Default case means non-HCILL packets, 348 + * possibilities are packets for: 349 + * (a) valid protocol - Supported Protocols within 350 + * the ST_MAX_CHANNELS. 351 + * (b) registered protocol - Checked by 352 + * "st_gdata->list[type] == NULL)" are supported 353 + * protocols only. 354 + * Rules out any invalid protocol and 355 + * unregistered protocols with channel ID < 16. 356 + */ 357 + 358 + if ((type >= ST_MAX_CHANNELS) || 359 + (st_gdata->list[type] == NULL)) { 360 + pr_err("chip/interface misbehavior: " 361 + "dropping frame starting " 362 + "with 0x%02x\n", type); 363 + goto done; 351 364 } 365 + 352 366 st_gdata->rx_skb = alloc_skb( 353 367 st_gdata->list[type]->max_frame_size, 354 368 GFP_ATOMIC); ··· 907 893 kfree(st_gdata); 908 894 } 909 895 } 910 - 911 -