From 57fc0a110405ba305b525bede8cdf2e1b00b69a0 Mon Sep 17 00:00:00 2001
From: Alex Elder <elder@linaro.org>
Date: Tue, 9 Sep 2014 13:55:08 -0500
Subject: [PATCH] greybus: validate descriptor sizes

When interpreting a manifest descriptor header, don't assume there
is enough space in the buffer to hold a descriptor header.  Also,
verify the remaining buffer is at least as big as the reported
descriptor size.

Signed-off-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
---
 drivers/staging/greybus/core.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/staging/greybus/core.c b/drivers/staging/greybus/core.c
index 61a4bc6..4b7034d 100644
--- a/drivers/staging/greybus/core.c
+++ b/drivers/staging/greybus/core.c
@@ -395,8 +395,17 @@ struct greybus_device *greybus_new_module(struct device *parent,
 	size -= sizeof(manifest->header);
 	data += sizeof(manifest->header);
 	while (size > 0) {
+		if (size < sizeof(desc->header)) {
+			dev_err(parent, "remaining size %d too small\n", size);
+			goto error;
+		}
 		desc = (struct greybus_descriptor *)data;
 		desc_size = le16_to_cpu(desc->header.size);
+		if (size < desc_size) {
+			dev_err(parent, "descriptor size %d too big\n",
+				desc_size);
+			goto error;
+		}
 
 		switch (le16_to_cpu(desc->header.type)) {
 		case GREYBUS_TYPE_FUNCTION:
-- 
2.7.4