From patchwork Tue Aug  7 11:07:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
X-Patchwork-Id: 10558563
Return-Path: <linux-media-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 33FF91057
	for <patchwork-linux-media@patchwork.kernel.org>;
 Tue,  7 Aug 2018 11:07:31 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 222FB29617
	for <patchwork-linux-media@patchwork.kernel.org>;
 Tue,  7 Aug 2018 11:07:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1681429663; Tue,  7 Aug 2018 11:07:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham
 version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4BC129617
	for <patchwork-linux-media@patchwork.kernel.org>;
 Tue,  7 Aug 2018 11:07:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388775AbeHGNVQ (ORCPT
        <rfc822;patchwork-linux-media@patchwork.kernel.org>);
        Tue, 7 Aug 2018 09:21:16 -0400
Received: from bombadil.infradead.org ([198.137.202.133]:53790 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388764AbeHGNVQ (ORCPT
        <rfc822;linux-media@vger.kernel.org>); Tue, 7 Aug 2018 09:21:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=bombadil.20170209;
 h=Sender:Message-Id:Date:Subject:Cc:To:
        From:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
        Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
        List-Subscribe:List-Post:List-Owner:List-Archive;
        bh=lXWlH6BTfwbWZ5iRof1Xwd7qgnoNNk41K5tJlUnBvVo=;
 b=glt4SQ90frpAGC00Z/j+X1zoFM
        /ApZt0qFdEE2bSjyE9HEp7qMTywNzuoz+GFYyaMVH27pBCKqC6jHUQ0HjzkQovspZlrZmKOwQrzqz
        QTEMmHO93rpTecUivsiKgQI2FKC8ifQ1RixFSxujPkF75MtnZvDoPm8/ewxZcByOlELYBZVYzZdiB
        dJXC2HgRFcve/gahj6lAhSScAbatdAIfNHZVNCYj2nnB64LeIWWzHzKj9vsYeUpGMLCvGl9A3jYMQ
        pQj8D9thxYkKQ5mXUmo6DU92CmtcIe+P9SCFWpbuLyqCc9apFz2Scm4hCUxAhIinVtPQ8GaEJaK1Z
        NgH3kxgg==;
Received: from [179.177.31.111] (helo=bombadil.infradead.org)
        by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat
 Linux))
        id 1fmzpn-00015I-GM; Tue, 07 Aug 2018 11:07:27 +0000
Received: from mchehab by bombadil.infradead.org with local (Exim 4.91)
        (envelope-from <mchehab@bombadil.infradead.org>)
        id 1fmzpl-00031X-3x; Tue, 07 Aug 2018 07:07:25 -0400
From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Cc: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>,
        Linux Media Mailing List <linux-media@vger.kernel.org>,
        Mauro Carvalho Chehab <mchehab@infradead.org>,
        Antti Palosaari <crope@iki.fi>
Subject: [PATCH] media: rtl28xxu: be sure that it won't go past the array size
Date: Tue,  7 Aug 2018 07:07:24 -0400
Message-Id: 
 <53cc785104d19c86defea0a9473f07c392390453.1533640042.git.mchehab+samsung@kernel.org>
X-Mailer: git-send-email 2.17.1
To: unlisted-recipients:; (no To-header on input)
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

smatch warns that the RC query code could go past the array size:

	drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1757 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130
	drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1758 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130

The driver logic gets the length of the IR RX buffer with:

        ret = rtl28xxu_rd_reg(d, IR_RX_BC, &buf[0]);
	...
        len = buf[0];

In thesis, this could range between 0 and 255 [1].

While this should never happen in practice, due to hardware limits,
smatch is right when it complains about that, as there's nothing at
the logic that would prevent it. So, if for whatever reason, buf[0]
gets filled by rtl28xx read functions with a value bigger than 128,
it will go past the array.

So, add an explicit check.

[1] I've no idea why smatch thinks that the maximum value is 130.
I double-checked the code several times. Was unable to find any
reason for assuming 130. Perhaps smatch is not properly parsing
u8 here?

Fixes: b5cbaa43a676 ("[media] rtl28xx: initial support for rtl2832u")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
---
 drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
index c76e78f9638a..a970224a94bd 100644
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -1732,7 +1732,7 @@ static int rtl2832u_rc_query(struct dvb_usb_device *d)
 		goto exit;
 
 	ret = rtl28xxu_rd_reg(d, IR_RX_BC, &buf[0]);
-	if (ret)
+	if (ret || buf[0] > sizeof(buf))
 		goto err;
 
 	len = buf[0];