staging: bcm2835-camera: Fix buffer overflow calculation on query of camera properties

The code that queries properties on the camera has a check for buffer overruns if the firmware sends too much data. This check is incorrect, and during testing I was seeing stack corruption. I believe this error can actually happen in normal use, just for some reason it doesn't appear on 32 bit as often. So perhaps it's best for the check to be fixed. Signed-off-by: Michael Zoran <mzoran@crowfest.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: bcm2835-camera: Fix buffer overflow calculation on query of camera properties
The code that queries properties on the camera has a check for buffer overruns if the firmware sends too much data. This check is incorrect, and during testing I was seeing stack corruption. I believe this error can actually happen in normal use, just for some reason it doesn't appear on 32 bit as often. So perhaps it's best for the check to be fixed. Signed-off-by: Michael Zoran <mzoran@crowfest.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
85b1ac73 · Michael Zoran · Greg Kroah-Hartman · 74369b5f · 85b1ac73
Commit 85b1ac73 authored Mar 09, 2017 by Michael Zoran Committed by Greg Kroah-Hartman Mar 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +1 -1

No files found.
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -1442,7 +1442,7 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
 	}
 	ret = -rmsg->u.port_parameter_get_reply.status;
-	if (ret) {
+	if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) {
 		/* Copy only as much as we have space for
 		 * but report true size of parameter
 		 */