tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[media] dib0700_core: don't use stack on I2C reads

Be sure that I2C reads won't use stack by passing
a pointer to the state buffer, that we know it was
allocated via kmalloc, instead of relying on the buffer
allocated by an I2C client.

Reviewed-by: Patrick Boettcher <patrick.boettcher@posteo.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

Mauro Carvalho Chehab fa1ecd8d bd1f976c

+26 -1
+26 -1
drivers/media/usb/dvb-usb/dib0700_core.c
··· 213 213 usb_rcvctrlpipe(d->udev, 0), 214 214 REQUEST_NEW_I2C_READ, 215 215 USB_TYPE_VENDOR | USB_DIR_IN, 216 - value, index, msg[i].buf, 216 + value, index, st->buf, 217 217 msg[i].len, 218 218 USB_CTRL_GET_TIMEOUT); 219 219 if (result < 0) { 220 220 deb_info("i2c read error (status = %d)\n", result); 221 221 break; 222 222 } 223 + 224 + if (msg[i].len > sizeof(st->buf)) { 225 + deb_info("buffer too small to fit %d bytes\n", 226 + msg[i].len); 227 + return -EIO; 228 + } 229 + 230 + memcpy(msg[i].buf, st->buf, msg[i].len); 223 231 224 232 deb_data("<<< "); 225 233 debug_dump(msg[i].buf, msg[i].len, deb_data); ··· 246 238 /* I2C ctrl + FE bus; */ 247 239 st->buf[3] = ((gen_mode << 6) & 0xC0) | 248 240 ((bus_mode << 4) & 0x30); 241 + 242 + if (msg[i].len > sizeof(st->buf) - 4) { 243 + deb_info("i2c message to big: %d\n", 244 + msg[i].len); 245 + return -EIO; 246 + } 247 + 249 248 /* The Actual i2c payload */ 250 249 memcpy(&st->buf[4], msg[i].buf, msg[i].len); 251 250 ··· 298 283 /* fill in the address */ 299 284 st->buf[1] = msg[i].addr << 1; 300 285 /* fill the buffer */ 286 + if (msg[i].len > sizeof(st->buf) - 2) { 287 + deb_info("i2c xfer to big: %d\n", 288 + msg[i].len); 289 + return -EIO; 290 + } 301 291 memcpy(&st->buf[2], msg[i].buf, msg[i].len); 302 292 303 293 /* write/read request */ ··· 319 299 break; 320 300 } 321 301 302 + if (msg[i + 1].len > sizeof(st->buf)) { 303 + deb_info("i2c xfer buffer to small for %d\n", 304 + msg[i].len); 305 + return -EIO; 306 + } 322 307 memcpy(msg[i + 1].buf, st->buf, msg[i + 1].len); 323 308 324 309 msg[i+1].len = len;