si2157: return -EINVAL if firmware blob is too big
authorLaura Abbott <labbott@fedoraproject.org>
Mon, 5 Oct 2015 22:33:29 +0000 (19:33 -0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 3 Mar 2016 23:07:14 +0000 (15:07 -0800)
commit d2cc2f0b35465951eaaf0387fd55e29835ed7ea6 upstream.

A previous patch added a check if the firmware is too big, but it didn't
set the return error code with the right value.

[mchehab@osg.samsung.com: I ended by applying a v1 of Laura's patch, without
 the proper return code. This patch contains the difference between v2 and v1 of
 the Laura's "si2157: Bounds check firmware" patch]
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Reviewed-by: Olli Salonen <olli.salonen@iki.fi>
Tested-by: Olli Salonen <olli.salonen@iki.fi>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/tuners/si2157.c

index ce157edd45fa1adb3dd382037dd421f8b8590091..0e1ca2b00e61e3e78e3f30f1f357a2902aebb7d0 100644 (file)
@@ -168,6 +168,7 @@ static int si2157_init(struct dvb_frontend *fe)
                len = fw->data[fw->size - remaining];
                if (len > SI2157_ARGLEN) {
                        dev_err(&client->dev, "Bad firmware length\n");
+                       ret = -EINVAL;
                        goto err_release_firmware;
                }
                memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);