Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a potential heap overflow in the uvc driver. This adds a check to verify the user provided size fits within the bounds of the defined buffer size. Bug: 33300353 Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd Tracked-On: https://jira01.devtools.intel.com/browse/AW-5093 Signed-off-by: Robb Glasser <rglasser@google.com> Reviewed-on: https://android.intel.com/577976 Reviewed-by: Louis, FabienX <fabienx.louis@intel.com> Tested-by: Louis, FabienX <fabienx.louis@intel.com> Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com> Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
author: Robb Glasser <rglasser@google.com> 2017-04-12 14:41:58 +0200
committer: Bertolin, PierreX <pierrex.bertolin@intel.com> 2017-04-26 02:20:37 -0700
commit: 482994302c9242141e2f5cc11f0020d8c45f8bce (patch)
tree: a92d881dea66613419c5d2011d289e51d684b478
parent: 9a9ff2085866be6ca0df34d5d64811130bc3cca3 (diff)
download: x86-482994302c9242141e2f5cc11f0020d8c45f8bce.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index 3e59b288b8a8..57d2f89350d2 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1991,6 +1991,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
 	if (!found)
 		return -ENOENT;
 
+	if (ctrl->info.size < mapping->size)
+		return -EINVAL;
+
 	if (mutex_lock_interruptible(&chain->ctrl_mutex))
 		return -ERESTARTSYS;
author	Robb Glasser <rglasser@google.com>	2017-04-12 14:41:58 +0200
committer	Bertolin, PierreX <pierrex.bertolin@intel.com>	2017-04-26 02:20:37 -0700
commit	482994302c9242141e2f5cc11f0020d8c45f8bce (patch)
tree	a92d881dea66613419c5d2011d289e51d684b478
parent	9a9ff2085866be6ca0df34d5d64811130bc3cca3 (diff)
download	x86-482994302c9242141e2f5cc11f0020d8c45f8bce.tar.gz