summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2014-09-08 08:18:43 -0300
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>2014-09-23 16:13:37 -0300
commit3011e5e592a2d31556cc3eff335a1ecccd473fa0 (patch)
tree7285f69453ed9f0822019e42afb3ef10fe39c8c8
parentf2e323ec96077642d397bb1c355def536d489d16 (diff)
downloadlinux-3011e5e592a2d31556cc3eff335a1ecccd473fa0.tar.gz
linux-3011e5e592a2d31556cc3eff335a1ecccd473fa0.tar.bz2
linux-3011e5e592a2d31556cc3eff335a1ecccd473fa0.zip
[media] firewire: firedtv-avc: potential buffer overflow
"program_info_length" is user controlled and can go up to 4095. The operand[] array has 509 bytes so we need to add a limit here to prevent buffer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-rw-r--r--drivers/media/firewire/firedtv-avc.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index d1a1a1324ef8..ac17567f0822 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device,
"invalid pmt_cmd_id %d\n", pmt_cmd_id);
+ if (program_info_length > sizeof(c->operand) - write_pos) {
+ ret = -EINVAL;
+ goto out;
+ }
memcpy(&c->operand[write_pos], &msg[read_pos],
program_info_length);
@@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);
+ if (es_info_length > sizeof(c->operand) - write_pos) {
+ ret = -EINVAL;
+ goto out;
+ }
+
memcpy(&c->operand[write_pos], &msg[read_pos],
es_info_length);
read_pos += es_info_length;