[media] firewire: firedtv-avc: fix more potential buffer overflow
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 9 Sep 2014 12:11:23 +0000 (09:11 -0300)
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>
Tue, 23 Sep 2014 19:13:39 +0000 (16:13 -0300)
"program_info_length" is user controlled and can go up to 4095.  The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.

The " - 4" in the limit check is because we have 4 bytes more data to
add after the memcpy().

[mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed
 to rebase to apply just the differences between v1 and v2]
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/firewire/firedtv-avc.c

index ac17567f08225b258da918846a1fbef7ea93e78e..251a556112a99586288f680e018103c0b9eef90c 100644 (file)
@@ -1157,7 +1157,7 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
                if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
                        dev_err(fdtv->device,
                                "invalid pmt_cmd_id %d\n", pmt_cmd_id);
-               if (program_info_length > sizeof(c->operand) - write_pos) {
+               if (program_info_length > sizeof(c->operand) - 4 - write_pos) {
                        ret = -EINVAL;
                        goto out;
                }
@@ -1184,7 +1184,8 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
                                dev_err(fdtv->device, "invalid pmt_cmd_id %d "
                                        "at stream level\n", pmt_cmd_id);
 
-                       if (es_info_length > sizeof(c->operand) - write_pos) {
+                       if (es_info_length > sizeof(c->operand) - 4 -
+                                            write_pos) {
                                ret = -EINVAL;
                                goto out;
                        }