| Message ID | 20190702140211.28399-1-tranmanphong@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: usb: technisat-usb2: fix buffer overflow | expand |
On Tue, Jul 2, 2019 at 4:02 PM Phong Tran <tranmanphong@gmail.com> wrote: > > The buffer will be overflow in case of the while loop can not break. > Add the checking buffer condition in while loop for avoiding > overlooping index. > > This issue was reported by syzbot > > Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com > > Tested by: > https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> > --- > drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c > index c659e18b358b..4e0b6185666a 100644 > --- a/drivers/media/usb/dvb-usb/technisat-usb2.c > +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c > @@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) > #endif > > ev.pulse = 0; > - while (1) { > + while (b != (buf + 63)) { I think it won't hurt to either use ARRAY_SIZE here, or define some magic constant for the buffer size in struct technisat_usb2_state. > ev.pulse = !ev.pulse; > ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; > ir_raw_event_store(d->rc_dev, &ev); > -- > 2.11.0 > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20190702140211.28399-1-tranmanphong%40gmail.com. > For more options, visit https://groups.google.com/d/optout.
On Tue, Jul 02, 2019 at 09:02:11PM +0700, Phong Tran wrote: > The buffer will be overflow in case of the while loop can not break. > Add the checking buffer condition in while loop for avoiding > overlooping index. > > This issue was reported by syzbot > > Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com > > Tested by: > https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ > > Signed-off-by: Phong Tran <tranmanphong@gmail.com> > --- > drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c > index c659e18b358b..4e0b6185666a 100644 > --- a/drivers/media/usb/dvb-usb/technisat-usb2.c > +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c > @@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) > #endif > > ev.pulse = 0; > - while (1) { > + while (b != (buf + 63)) { This matches the "62" from the earlier read -- instead of these literal numbers, could you replace the "62"s with a named define for whatever would make sense for this driver (maybe "IR_MAX_EVENTS"?), and then you can make the above be something like: while (b <= buf + IR_MAX_EVENTS) { > ev.pulse = !ev.pulse; > ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; > ir_raw_event_store(d->rc_dev, &ev); > -- > 2.11.0 >
diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c index c659e18b358b..4e0b6185666a 100644 --- a/drivers/media/usb/dvb-usb/technisat-usb2.c +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c @@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) #endif ev.pulse = 0; - while (1) { + while (b != (buf + 63)) { ev.pulse = !ev.pulse; ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; ir_raw_event_store(d->rc_dev, &ev);
The buffer will be overflow in case of the while loop can not break. Add the checking buffer condition in while loop for avoiding overlooping index. This issue was reported by syzbot Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com Tested by: https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ Signed-off-by: Phong Tran <tranmanphong@gmail.com> --- drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)