From 72ea518d16c4669cec1d45cb07b79ccc96a36e52 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 May 2024 12:27:32 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
---
 ...ccount-when-fetching-packet-contents.patch | 38 +++++++++++++++++++
 queue-4.19/series                             |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch

diff --git a/queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch b/queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
new file mode 100644
index 00000000000..80b31b5ffb0
--- /dev/null
+++ b/queue-4.19/firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
@@ -0,0 +1,38 @@
+From 38762a0763c10c24a4915feee722d7aa6e73eb98 Mon Sep 17 00:00:00 2001
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Date: Wed, 17 Apr 2024 11:30:02 -0400
+Subject: firewire: nosy: ensure user_length is taken into account when fetching packet contents
+
+From: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+
+commit 38762a0763c10c24a4915feee722d7aa6e73eb98 upstream.
+
+Ensure that packet_buffer_get respects the user_length provided. If
+the length of the head packet exceeds the user_length, packet_buffer_get
+will now return 0 to signify to the user that no data were read
+and a larger buffer size is required. Helps prevent user space overflows.
+
+Signed-off-by: Thanassis Avgerinos <thanassis.avgerinos@gmail.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/nosy.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -161,10 +161,12 @@ packet_buffer_get(struct client *client,
+ 	if (atomic_read(&buffer->size) == 0)
+ 		return -ENODEV;
+ 
+-	/* FIXME: Check length <= user_length. */
++	length = buffer->head->length;
++
++	if (length > user_length)
++		return 0;
+ 
+ 	end = buffer->data + buffer->capacity;
+-	length = buffer->head->length;
+ 
+ 	if (&buffer->head->data[length] < end) {
+ 		if (copy_to_user(data, buffer->head->data, length))
diff --git a/queue-4.19/series b/queue-4.19/series
index 405031620e3..dd08ff6993f 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -53,3 +53,4 @@ net-bridge-fix-corrupted-ethernet-header-on-multicas.patch
 ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch
 af_unix-do-not-use-atomic-ops-for-unix_sk-sk-infligh.patch
 af_unix-fix-garbage-collector-racing-against-connect.patch
+firewire-nosy-ensure-user_length-is-taken-into-account-when-fetching-packet-contents.patch
-- 
2.47.2