Input: ims-pcu - check record size in ims_pcu_flash_firmware()

The "len" variable comes from the firmware and we generally do
trust firmware, but it's always better to double check.  If the "len"
is too large it could result in memory corruption when we do
"memcpy(fragment->data, rec->data, len);"

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/131fd1ae92c828ee9f4fa2de03d8c210ae1f3524.1748463049.git.dan.carpenter@linaro.org
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index d9ee14b1f451845bbc2fca62c56b10cef7826cc6..4581f1c536442bc75dd22153c806ad619ce668ed 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -844,6 +844,12 @@ static int ims_pcu_flash_firmware(struct ims_pcu *pcu,
                addr = be32_to_cpu(rec->addr) / 2;
                len = be16_to_cpu(rec->len);
 
+               if (len > sizeof(pcu->cmd_buf) - 1 - sizeof(*fragment)) {
+                       dev_err(pcu->dev,
+                               "Invalid record length in firmware: %d\n", len);
+                       return -EINVAL;
+               }
+
                fragment = (void *)&pcu->cmd_buf[1];
                put_unaligned_le32(addr, &fragment->addr);
                fragment->len = len;