[media] si2157: Bounds check firmware

[ Upstream commit a828d72d ] When reading the firmware and sending commands, the length must be bounds checked to avoid overrunning the size of the command buffer and smashing the stack if the firmware is not in the expected format. Add the proper check. Cc: stable@kernel.org Signed-off-by: Laura Abbott <labbott@fedoraproject.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

[media] si2157: Bounds check firmware
[ Upstream commit a828d72d ] When reading the firmware and sending commands, the length must be bounds checked to avoid overrunning the size of the command buffer and smashing the stack if the firmware is not in the expected format. Add the proper check. Cc: stable@kernel.org Signed-off-by: Laura Abbott <labbott@fedoraproject.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
7bd07d0a · Laura Abbott · Sasha Levin · fb9f9481 · 7bd07d0a
Commit 7bd07d0a authored Sep 29, 2015 by Laura Abbott Committed by Sasha Levin Apr 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

drivers/media/tuners/si2157.c drivers/media/tuners/si2157.c +4 -0

No files found.
--- a/drivers/media/tuners/si2157.c
+++ b/drivers/media/tuners/si2157.c
@@ -157,6 +157,10 @@ static int si2157_init(struct dvb_frontend *fe)

 	for (remaining = fw->size; remaining > 0; remaining -= 17) {
 		len = fw->data[fw->size - remaining];
+		if (len > SI2157_ARGLEN) {
+			dev_err(&s->client->dev, "Bad firmware length\n");
+			goto err;
+		}
 		memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
 		cmd.wlen = len;
 		cmd.rlen = 1;