|
 |
48f65f6 |
From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001
|
|
|
48f65f6 |
From: Laura Abbott <labbott@fedoraproject.org>
|
|
|
48f65f6 |
Date: Tue, 29 Sep 2015 16:59:20 -0700
|
|
|
48f65f6 |
Subject: [PATCH 2/2] si2157: Bounds check firmware
|
|
|
48f65f6 |
To: Antti Palosaari <crope@iki.fi>
|
|
|
48f65f6 |
To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
|
48f65f6 |
Cc: Olli Salonen <olli.salonen@iki.fi>
|
|
|
48f65f6 |
Cc: linux-media@vger.kernel.org
|
|
|
48f65f6 |
Cc: linux-kernel@vger.kernel.org
|
|
|
48f65f6 |
|
|
|
48f65f6 |
When reading the firmware and sending commands, the length
|
|
|
48f65f6 |
must be bounds checked to avoid overrunning the size of the command
|
|
|
48f65f6 |
buffer and smashing the stack if the firmware is not in the
|
|
|
48f65f6 |
expected format. Add the proper check.
|
|
|
48f65f6 |
|
|
|
48f65f6 |
Cc: stable@kernel.org
|
|
|
48f65f6 |
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
|
|
48f65f6 |
---
|
|
|
48f65f6 |
drivers/media/tuners/si2157.c | 4 ++++
|
|
|
48f65f6 |
1 file changed, 4 insertions(+)
|
|
|
48f65f6 |
|
|
|
48f65f6 |
diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
|
|
|
48f65f6 |
index 5073821..ce157ed 100644
|
|
|
48f65f6 |
--- a/drivers/media/tuners/si2157.c
|
|
|
48f65f6 |
+++ b/drivers/media/tuners/si2157.c
|
|
|
48f65f6 |
@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe)
|
|
|
48f65f6 |
|
|
|
48f65f6 |
for (remaining = fw->size; remaining > 0; remaining -= 17) {
|
|
|
48f65f6 |
len = fw->data[fw->size - remaining];
|
|
|
48f65f6 |
+ if (len > SI2157_ARGLEN) {
|
|
|
48f65f6 |
+ dev_err(&client->dev, "Bad firmware length\n");
|
|
|
48f65f6 |
+ goto err_release_firmware;
|
|
|
48f65f6 |
+ }
|
|
|
48f65f6 |
memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
|
|
|
48f65f6 |
cmd.wlen = len;
|
|
|
48f65f6 |
cmd.rlen = 1;
|
|
|
48f65f6 |
--
|
|
|
48f65f6 |
2.4.3
|
|
|
48f65f6 |
|