diff options
author | Dave Stevenson <dave.stevenson@raspberrypi.org> | 2017-03-14 08:10:40 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-03-21 08:38:33 +0100 |
commit | f7d51372d7d1779bf60f7de35a4b12850442a9de (patch) | |
tree | 78d4f4beb75ea48a8bb8dd2ab33619207651a4a6 /drivers/staging/vc04_services/bcm2835-camera | |
parent | staging: vc04_services: make BCM_VIDEOCORE tristate (diff) | |
download | linux-dev-f7d51372d7d1779bf60f7de35a4b12850442a9de.tar.xz linux-dev-f7d51372d7d1779bf60f7de35a4b12850442a9de.zip |
bcm2835-v4l2: Fix buffer overflow problem
https://github.com/raspberrypi/linux/issues/1447
port_parameter_get() failed to account for the header
(u32 id and u32 size) in the size before memcpying
the response into the response buffer, so overrunning
the provided buffer by 8 bytes.
Account for those bytes, and also a belt-and-braces
check to ensure we never copy more than *value_size
bytes into value.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
Signed-off-by: Michael Zoran <mzoran@crowfest.net>
Tested-by: Michael Zoran <mzoran@crowfest.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/vc04_services/bcm2835-camera')
-rw-r--r-- | drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c index fc1076db0f82..ccb2ee547055 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c @@ -1445,7 +1445,12 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance, } ret = -rmsg->u.port_parameter_get_reply.status; - if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) { + /* port_parameter_get_reply.size includes the header, + * whilst *value_size doesn't. + */ + rmsg->u.port_parameter_get_reply.size -= (2 * sizeof(u32)); + + if (ret || rmsg->u.port_parameter_get_reply.size > *value_size) { /* Copy only as much as we have space for * but report true size of parameter */ |