diff options
| author |   Michael Zoran <mzoran@crowfest.net> | 2017-03-09 21:08:57 -0800 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-03-10 10:12:10 +0100 |
| commit | 85b1ac7359366e7386fb593427ee3e981e065259 (patch) | |
| tree | 82f3437acd4f76cda5dff4b5ce8600bbeecd3e94 /drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | |
| parent | staging: bcm2835-camera: Convert spinlock to mutex in handle mapping code (diff) | |
| download | linux-dev-85b1ac7359366e7386fb593427ee3e981e065259.tar.xz linux-dev-85b1ac7359366e7386fb593427ee3e981e065259.zip | |
staging: bcm2835-camera: Fix buffer overflow calculation on query of camera properties
The code that queries properties on the camera has a check
for buffer overruns if the firmware sends too much data. This
check is incorrect, and during testing I was seeing stack corruption.
I believe this error can actually happen in normal use, just for
some reason it doesn't appear on 32 bit as often. So perhaps
it's best for the check to be fixed.
Signed-off-by: Michael Zoran <mzoran@crowfest.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c')
| -rw-r--r-- | drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c index 41de8956e421..976aa08365f2 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c @@ -1442,7 +1442,7 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance, } ret = -rmsg->u.port_parameter_get_reply.status; - if (ret) { + if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) { /* Copy only as much as we have space for * but report true size of parameter */ |