diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2019-03-26 08:12:07 +0300 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2019-03-29 14:43:48 +0300 |
commit | 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 (patch) | |
tree | 31d6c625fee9e81e91460363d7542b8af91f25ea /lib/ucs2_string.c | |
parent | 2e7682ebfc750177a4944eeb56e97a3f05734528 (diff) | |
download | linux-9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9.tar.xz |
media: wl128x: prevent two potential buffer overflows
Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
can copy up to 255 bytes and we only have room for two bytes. Even
if this comes from the firmware and we trust it, the new policy
generally is just to fix it as kernel hardenning.
I can't test this code so I tried to be very conservative. I considered
not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
whole variable but in the end I decided to allow it and manually
initialized "asic_id" and "asic_ver" to zero.
Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'lib/ucs2_string.c')
0 files changed, 0 insertions, 0 deletions