From patchwork Tue Jun 5 00:24:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Dufresne X-Patchwork-Id: 10447511 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 24D61601A1 for ; Tue, 5 Jun 2018 00:24:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16C6328F75 for ; Tue, 5 Jun 2018 00:24:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0B48D28F91; Tue, 5 Jun 2018 00:24:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B60A628F75 for ; Tue, 5 Jun 2018 00:24:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751223AbeFEAYX (ORCPT ); Mon, 4 Jun 2018 20:24:23 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:45460 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751042AbeFEAYX (ORCPT ); Mon, 4 Jun 2018 20:24:23 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: nicolas) with ESMTPSA id 850B6272FF3 From: Nicolas Dufresne Cc: Laurent Pinchart , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] uvcvideo: Also validate buffers in BULK mode Date: Mon, 4 Jun 2018 20:24:15 -0400 Message-Id: <20180605002415.11421-1-nicolas.dufresne@collabora.com> X-Mailer: git-send-email 2.17.1 To: unlisted-recipients:; (no To-header on input) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Just like for ISOC, validate the decoded BULK buffer size when possible. This avoids sending corrupted or partial buffers to userspace, which may lead to application crash or run-time failure. Signed-off-by: Nicolas Dufresne --- drivers/media/usb/uvc/uvc_video.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index aa0082fe5833..46df4d01e31b 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -1307,8 +1307,10 @@ static void uvc_video_decode_bulk(struct urb *urb, struct uvc_streaming *stream, if (stream->bulk.header_size == 0 && !stream->bulk.skip_payload) { do { ret = uvc_video_decode_start(stream, buf, mem, len); - if (ret == -EAGAIN) + if (ret == -EAGAIN) { + uvc_video_validate_buffer(stream, buf); uvc_video_next_buffers(stream, &buf, &meta_buf); + } } while (ret == -EAGAIN); /* If an error occurred skip the rest of the payload. */ @@ -1342,8 +1344,10 @@ static void uvc_video_decode_bulk(struct urb *urb, struct uvc_streaming *stream, if (!stream->bulk.skip_payload && buf != NULL) { uvc_video_decode_end(stream, buf, stream->bulk.header, stream->bulk.payload_size); - if (buf->state == UVC_BUF_STATE_READY) + if (buf->state == UVC_BUF_STATE_READY) { + uvc_video_validate_buffer(stream, buf); uvc_video_next_buffers(stream, &buf, &meta_buf); + } } stream->bulk.header_size = 0;