diff options
| author | Yu Wu <quic_zwy@quicinc.com> | 2022-08-30 16:34:57 +0800 |
|---|---|---|
| committer | Yu Wu <quic_zwy@quicinc.com> | 2022-11-30 14:28:45 +0800 |
| commit | 8ef61bcc10d2b574f5d909af73815a15a6793fef (patch) | |
| tree | a2f0e6c826f255d942c227b8eef8393e4d38e16c | |
| parent | ca51d4f514abe083bbcb05e530a1574f8a852a47 (diff) | |
| download | touch-8ef61bcc10d2b574f5d909af73815a15a6793fef.tar.gz | |
touch: goodix: Add more checks for brl_send_config function
Add more checks in brl_send_config to ensure the config
data sent by user is valid. Also add more parameter
checks in brl_read_config function.
Change-Id: I6ac69de62e8565dc4bee4befbe3124c60118f3a1
Signed-off-by: Yu Wu <quic_zwy@quicinc.com>
| -rw-r--r-- | goodix_berlin_driver/goodix_brl_hw.c | 23 | ||||
| -rw-r--r-- | goodix_berlin_driver/goodix_ts_utils.c | 3 |
2 files changed, 23 insertions, 3 deletions
diff --git a/goodix_berlin_driver/goodix_brl_hw.c b/goodix_berlin_driver/goodix_brl_hw.c index f7b2afd..791bd42 100644 --- a/goodix_berlin_driver/goodix_brl_hw.c +++ b/goodix_berlin_driver/goodix_brl_hw.c @@ -497,14 +497,33 @@ static int brl_send_config(struct goodix_ts_core *cd, u8 *cfg, int len) { int ret; u8 *tmp_buf; + u16 cfg_head_len = sizeof(struct goodix_config_head) / sizeof(u8); struct goodix_ts_cmd cfg_cmd; struct goodix_ic_info_misc *misc = &cd->ic_info.misc; struct goodix_ts_hw_ops *hw_ops = cd->hw_ops; + struct goodix_config_head *cfg_head = (struct goodix_config_head *)cfg; - if (len > misc->fw_buffer_max_len) { + if (!cd || !cfg) { + ts_err("input parameter is NULL"); + return -EINVAL; + } else if (len > misc->fw_buffer_max_len) { ts_err("config len exceed limit %d > %d", len, misc->fw_buffer_max_len); return -EINVAL; + } else if (len < cfg_head_len) { + ts_err("config buffer size %d smaller than header size %d", + len, cfg_head_len); + return -EINVAL; + } else if (len != cfg_head_len + cfg_head->cfg_len) { + ts_err("config buffer size %d not equal to head %d + cfg_len %d", + len, cfg_head_len, cfg_head->cfg_len); + return -EINVAL; + } else if (checksum_cmp(cfg, cfg_head_len, CHECKSUM_MODE_U8_LE)) { + ts_err("config head checksum error"); + return -EINVAL; + } else if (checksum_cmp(cfg + cfg_head_len, cfg_head->cfg_len, CHECKSUM_MODE_U16_LE)) { + ts_err("config body checksum error"); + return -EINVAL; } tmp_buf = kzalloc(len, GFP_KERNEL); @@ -573,7 +592,7 @@ static int brl_read_config(struct goodix_ts_core *cd, u8 *cfg, int size) struct goodix_ts_hw_ops *hw_ops = cd->hw_ops; struct goodix_config_head cfg_head; - if (!cfg) + if (!cfg || sizeof(cfg_head) > size) return -EINVAL; cfg_cmd.len = CONFIG_CND_LEN; diff --git a/goodix_berlin_driver/goodix_ts_utils.c b/goodix_berlin_driver/goodix_ts_utils.c index e1388ac..3916a76 100644 --- a/goodix_berlin_driver/goodix_ts_utils.c +++ b/goodix_berlin_driver/goodix_ts_utils.c @@ -71,7 +71,8 @@ int checksum_cmp(const u8 *data, int size, int mode) u32 i; if (((mode == CHECKSUM_MODE_U8_LE) && (size < 2)) || - ((mode == CHECKSUM_MODE_U16_LE) && (size < 4))) + ((mode == CHECKSUM_MODE_U16_LE) && (size < 4)) || + ((mode == CHECKSUM_MODE_U16_LE) && (size % 2 != 0))) return 1; if (mode == CHECKSUM_MODE_U8_LE) { |