From: Alex Elder <elder@linaro.org>
Date: Tue, 9 Sep 2014 18:55:08 +0000 (-0500)
Subject: greybus: validate descriptor sizes
X-Git-Tag: v5.15~12752^2~378^2~21^2~2127
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=57fc0a110405ba305b525bede8cdf2e1b00b69a0;p=platform%2Fkernel%2Flinux-starfive.git

greybus: validate descriptor sizes

When interpreting a manifest descriptor header, don't assume there
is enough space in the buffer to hold a descriptor header.  Also,
verify the remaining buffer is at least as big as the reported
descriptor size.

Signed-off-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
---

diff --git a/drivers/staging/greybus/core.c b/drivers/staging/greybus/core.c
index 61a4bc6..4b7034d 100644
--- a/drivers/staging/greybus/core.c
+++ b/drivers/staging/greybus/core.c
@@ -395,8 +395,17 @@ struct greybus_device *greybus_new_module(struct device *parent,
 	size -= sizeof(manifest->header);
 	data += sizeof(manifest->header);
 	while (size > 0) {
+		if (size < sizeof(desc->header)) {
+			dev_err(parent, "remaining size %d too small\n", size);
+			goto error;
+		}
 		desc = (struct greybus_descriptor *)data;
 		desc_size = le16_to_cpu(desc->header.size);
+		if (size < desc_size) {
+			dev_err(parent, "descriptor size %d too big\n",
+				desc_size);
+			goto error;
+		}
 
 		switch (le16_to_cpu(desc->header.type)) {
 		case GREYBUS_TYPE_FUNCTION: