ttusb2: limit messages to buffer size

commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream. Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and heap buffers. Signed-off-by: Alyssa Milburn <amilburn@zall.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Alyssa Milburn <amilburn@zall.org> 2017-04-01 13:34:32 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-25 09:44:39 -0400
commit: 4f93054d9b45857cc68bb7f5e8010e086be656ce (patch)
tree: b891984b90127c656aa80a85d673cb27b6a96995 /drivers
parent: c71b5040632f90131e62ecdc83063179cc2ae7af (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/drivers/media/usb/dvb-usb/ttusb2.c b/drivers/media/usb/dvb-usb/ttusb2.c
index ecc207fbaf3c..9e0d6a4166d2 100644
--- a/drivers/media/usb/dvb-usb/ttusb2.c
+++ b/drivers/media/usb/dvb-usb/ttusb2.c
@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_device *d, u8 cmd,
        u8 *s, *r = NULL;
        int ret = 0;
+        if (4 + rlen > 64)
+                return -EIO;
        s = kzalloc(wlen+4, GFP_KERNEL);
        if (!s)
                return -ENOMEM;
@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num
                write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);
                read = msg[i].flags & I2C_M_RD;
+                if (3 + msg[i].len > sizeof(obuf)) {
+                        err("i2c wr len=%d too high", msg[i].len);
+                        break;
+                }
+                if (write_read) {
+                        if (3 + msg[i+1].len > sizeof(ibuf)) {
+                                err("i2c rd len=%d too high", msg[i+1].len);
+                                break;
+                        }
+                } else if (read) {
+                        if (3 + msg[i].len > sizeof(ibuf)) {
+                                err("i2c rd len=%d too high", msg[i].len);
+                                break;
+                        }
+                }
                obuf[0] = (msg[i].addr << 1) | (write_read | read);
                if (read)
                        obuf[1] = 0;
author	Alyssa Milburn <amilburn@zall.org>	2017-04-01 13:34:32 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-05-25 09:44:39 -0400
commit	4f93054d9b45857cc68bb7f5e8010e086be656ce (patch)
tree	b891984b90127c656aa80a85d673cb27b6a96995 /drivers
parent	c71b5040632f90131e62ecdc83063179cc2ae7af (diff)

diff --git a/drivers/media/usb/dvb-usb/ttusb2.c b/drivers/media/usb/dvb-usb/ttusb2.c index ecc207fbaf3c..9e0d6a4166d2 100644 --- a/drivers/media/usb/dvb-usb/ttusb2.c +++ b/drivers/media/usb/dvb-usb/ttusb2.c
@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_device *d, u8 cmd,
78	u8 s, r = NULL;	78	u8 s, r = NULL;
79	int ret = 0;	79	int ret = 0;
80		80
		81	if (4 + rlen > 64)
		82	return -EIO;
		83
81	s = kzalloc(wlen+4, GFP_KERNEL);	84	s = kzalloc(wlen+4, GFP_KERNEL);
82	if (!s)	85	if (!s)
83	return -ENOMEM;	86	return -ENOMEM;
@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num
381	write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);	384	write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);
382	read = msg[i].flags & I2C_M_RD;	385	read = msg[i].flags & I2C_M_RD;
383		386
		387	if (3 + msg[i].len > sizeof(obuf)) {
		388	err("i2c wr len=%d too high", msg[i].len);
		389	break;
		390	}
		391	if (write_read) {
		392	if (3 + msg[i+1].len > sizeof(ibuf)) {
		393	err("i2c rd len=%d too high", msg[i+1].len);
		394	break;
		395	}
		396	} else if (read) {
		397	if (3 + msg[i].len > sizeof(ibuf)) {
		398	err("i2c rd len=%d too high", msg[i].len);
		399	break;
		400	}
		401	}
		402
384	obuf[0] = (msg[i].addr << 1) \| (write_read \| read);	403	obuf[0] = (msg[i].addr << 1) \| (write_read \| read);
385	if (read)	404	if (read)
386	obuf[1] = 0;	405	obuf[1] = 0;