greybus: gpio: fix null-deref on short irq requests

Make sure to verify the length of incoming requests before trying to
parse the request buffer, which can even be NULL on empty requests.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

diff --git a/drivers/staging/greybus/gpio.c b/drivers/staging/greybus/gpio.c
index 2bac28ec7f853d37919c9a1048708d63ab6f085a..7dc675d7bd5ba05bb9dd5706ce11c6824258fe33 100644 (file)
--- a/drivers/staging/greybus/gpio.c
+++ b/drivers/staging/greybus/gpio.c
@@ -413,6 +413,12 @@ static void gb_gpio_request_recv(u8 type, struct gb_operation *op)
        ggc = connection->private;
 
        request = op->request;
+
+       if (request->payload_size < sizeof(*event)) {
+               dev_err(ggc->chip.dev, "short event received\n");
+               return;
+       }
+
        event = request->payload;
        if (event->which > ggc->line_max) {
                dev_err(ggc->chip.dev, "invalid hw irq: %d\n", event->which);