git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Dan Carpenter <dan.carpenter@oracle.com>
	Tue, 26 Mar 2019 05:12:07 +0000 (01:12 -0400)
committer	Ben Hutchings <ben@decadent.org.uk>
	Mon, 23 Sep 2019 20:11:36 +0000 (21:11 +0100)
commit	ec0c0a0e5cd3be7151bf69eb2a551b71b691978a
tree	a95fccb25e5a3956368adaa834a88c15500aff8d	tree \| snapshot
parent	393297320399540d2aa364bb331c90a736e0adc1	commit \| diff

media: wl128x: prevent two potential buffer overflows

commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 upstream.

Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
can copy up to 255 bytes and we only have room for two bytes. Even
if this comes from the firmware and we trust it, the new policy
generally is just to fix it as kernel hardenning.

I can't test this code so I tried to be very conservative. I considered
not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
whole variable but in the end I decided to allow it and manually
initialized "asic_id" and "asic_ver" to zero.

Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>