diff options
author | Robb Glasser <rglasser@google.com> | 2017-02-14 13:25:46 -0800 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-05-15 10:44:22 -0700 |
commit | f872fd26e405fd82eb5d12fbf2f24e8185cc3681 (patch) | |
tree | 6a8df600dd1ba5d60ba26a7f2d3c8cc95f041e06 /drivers/media/usb | |
parent | 75a9d0fee5b264c89afdc8b155848625fcbe9ca0 (diff) |
Prevent heap overflow in uvc driver
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Signed-off-by: Robb Glasser <rglasser@google.com>
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: 8bc3ec72a02052187397d0de1a7b8bbe7340451c
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Diffstat (limited to 'drivers/media/usb')
-rw-r--r-- | drivers/media/usb/uvc/uvc_ctrl.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 3e59b288b8a8..57d2f89350d2 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1991,6 +1991,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain, if (!found) return -ENOENT; + if (ctrl->info.size < mapping->size) + return -EINVAL; + if (mutex_lock_interruptible(&chain->ctrl_mutex)) return -ERESTARTSYS; |