media: rc: validate that "rc_proto" is reasonable

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Smatch complains that "rc_proto" comes from the user and it can result
in shift wrapping in ir_raw_encode_scancode()

drivers/media/rc/rc-ir-raw.c:526 ir_raw_encode_scancode()
error: undefined (user controlled) shift '1 << protocol'

This is true, but I reviewed the surrounding code and it appears
harmless. Anyway, let's verify that "rc_proto" is valid as a kernel
hardening measure.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

authored by

Dan Carpenter and committed by

Mauro Carvalho Chehab 5 years ago 72e637fe 7399139b

+3 -1

2 changed files

expand all

drivers

media

lirc_dev.c

include

uapi

linux

lirc.h

+2 -1

drivers/media/rc/lirc_dev.c

··· 263 263 goto out_unlock; 264 264 } 265 265 266 - if (scan.flags || scan.keycode || scan.timestamp) { 266 + if (scan.flags || scan.keycode || scan.timestamp || 267 + scan.rc_proto > RC_PROTO_MAX) { 267 268 ret = -EINVAL; 268 269 goto out_unlock; 269 270 }

include/uapi/linux/lirc.h

··· 226 226 RC_PROTO_RCMM24 = 25, 227 227 RC_PROTO_RCMM32 = 26, 228 228 RC_PROTO_XBOX_DVD = 27, 229 + RC_PROTO_MAX = RC_PROTO_XBOX_DVD, 229 230 }; 230 231 231 232 #endif