From: Laura Abbott Date: Wed, 30 Sep 2015 00:10:10 +0000 (-0300) Subject: [media] si2157: Bounds check firmware X-Git-Tag: firefly_0821_release~176^2~897^2~5 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=a828d72df216c36e9c40b6c24dc4b17b6f7b5a76;p=firefly-linux-kernel-4.4.55.git [media] si2157: Bounds check firmware When reading the firmware and sending commands, the length must be bounds checked to avoid overrunning the size of the command buffer and smashing the stack if the firmware is not in the expected format. Add the proper check. Cc: stable@kernel.org Signed-off-by: Laura Abbott Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c index 507382160e5e..ce157edd45fa 100644 --- a/drivers/media/tuners/si2157.c +++ b/drivers/media/tuners/si2157.c @@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe) for (remaining = fw->size; remaining > 0; remaining -= 17) { len = fw->data[fw->size - remaining]; + if (len > SI2157_ARGLEN) { + dev_err(&client->dev, "Bad firmware length\n"); + goto err_release_firmware; + } memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); cmd.wlen = len; cmd.rlen = 1;