comedi: me_daq: Fix potential overrun of firmware buffer

commit cc797d4821c754c701d9714b58bea947e31dbbe0 upstream.

`me2600_xilinx_download()` loads the firmware that was requested by
`request_firmware()`.  It is possible for it to overrun the source
buffer because it blindly trusts the file format.  It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards.  Although it checks that the supplied firmware is at least 16
bytes long, it does not check that it is long enough to contain the data
stream.

Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream.  On failure, log an error and
return `-EINVAL`.

Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260205140130.76697-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/comedi/drivers/me_daq.c b/drivers/comedi/drivers/me_daq.c
index ef18e387471b358cb55c7645c2ac0871a8c6dcbd..adfd9daf738d434f86d40f9bc134736460ba98f7 100644 (file)
--- a/drivers/comedi/drivers/me_daq.c
+++ b/drivers/comedi/drivers/me_daq.c
@@ -345,6 +345,25 @@ static int me2600_xilinx_download(struct comedi_device *dev,
        unsigned int file_length;
        unsigned int i;
 
+       /*
+        * Format of the firmware
+        * Build longs from the byte-wise coded header
+        * Byte 1-3:   length of the array
+        * Byte 4-7:   version
+        * Byte 8-11:  date
+        * Byte 12-15: reserved
+        */
+       if (size >= 4) {
+               file_length = (((unsigned int)data[0] & 0xff) << 24) +
+                             (((unsigned int)data[1] & 0xff) << 16) +
+                             (((unsigned int)data[2] & 0xff) << 8) +
+                             ((unsigned int)data[3] & 0xff);
+       }
+       if (size < 16 || file_length > size - 16) {
+               dev_err(dev->class_dev, "Firmware length inconsistency\n");
+               return -EINVAL;
+       }
+
        /* disable irq's on PLX */
        writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR);
 
@@ -358,22 +377,6 @@ static int me2600_xilinx_download(struct comedi_device *dev,
        writeb(0x00, dev->mmio + 0x0);
        sleep(1);
 
-       /*
-        * Format of the firmware
-        * Build longs from the byte-wise coded header
-        * Byte 1-3:   length of the array
-        * Byte 4-7:   version
-        * Byte 8-11:  date
-        * Byte 12-15: reserved
-        */
-       if (size < 16)
-               return -EINVAL;
-
-       file_length = (((unsigned int)data[0] & 0xff) << 24) +
-           (((unsigned int)data[1] & 0xff) << 16) +
-           (((unsigned int)data[2] & 0xff) << 8) +
-           ((unsigned int)data[3] & 0xff);
-
        /*
         * Loop for writing firmware byte by byte to xilinx
         * Firmware data start at offset 16