diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-09-08 13:18:43 +0200 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@osg.samsung.com> | 2014-09-23 21:13:37 +0200 |
commit | 3011e5e592a2d31556cc3eff335a1ecccd473fa0 (patch) | |
tree | 7285f69453ed9f0822019e42afb3ef10fe39c8c8 /drivers/media/firewire | |
parent | [media] ttusb-dec: buffer overflow in ioctl (diff) | |
download | linux-3011e5e592a2d31556cc3eff335a1ecccd473fa0.tar.xz linux-3011e5e592a2d31556cc3eff335a1ecccd473fa0.zip |
[media] firewire: firedtv-avc: potential buffer overflow
"program_info_length" is user controlled and can go up to 4095. The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Diffstat (limited to 'drivers/media/firewire')
-rw-r--r-- | drivers/media/firewire/firedtv-avc.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c index d1a1a1324ef8..ac17567f0822 100644 --- a/drivers/media/firewire/firedtv-avc.c +++ b/drivers/media/firewire/firedtv-avc.c @@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) if (pmt_cmd_id != 1 && pmt_cmd_id != 4) dev_err(fdtv->device, "invalid pmt_cmd_id %d\n", pmt_cmd_id); + if (program_info_length > sizeof(c->operand) - write_pos) { + ret = -EINVAL; + goto out; + } memcpy(&c->operand[write_pos], &msg[read_pos], program_info_length); @@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) dev_err(fdtv->device, "invalid pmt_cmd_id %d " "at stream level\n", pmt_cmd_id); + if (es_info_length > sizeof(c->operand) - write_pos) { + ret = -EINVAL; + goto out; + } + memcpy(&c->operand[write_pos], &msg[read_pos], es_info_length); read_pos += es_info_length; |