Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp270007imm; Mon, 4 Jun 2018 17:25:09 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL1kDjxf7hM+I2/1wEKX9nWPjiGLU7OAvSh3lqeLAVtA//hbPTv0O/yhrCPAscizBCJZdSa X-Received: by 2002:a62:8b9b:: with SMTP id e27-v6mr23515961pfl.82.1528158309553; Mon, 04 Jun 2018 17:25:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528158309; cv=none; d=google.com; s=arc-20160816; b=Osb3oT4TF2xD1ySbfP9ai49UyrVGywHxZ+WZH6gw/HnzaV5NC1OXlHS2OED1bqTCLf y/kXd5QnhACKqbUnXOZ5a6WIVKq6E3fJafZxagETCeGsiJgM21SedMGlYxupUFWrQt4w Qa1I/E/Pg8QhT2KqTONC1Qq3oubAL5KURTop8AbnEQiKL0zA05cbcL0+r1lCxbcO1fgV g0gpNmi3qDjdxe+FjKp1SNld7B8v7TAkvzUiKY2LsIOs3WcU7BY9QVZ0tzTN35n2XLXK J3Zh1PynO4QT2Wh5R0k/2NhJsaQsQ76Ct2Q5r9CNTIXd3JvD3WMs/e2+vSzh3UC1ETo1 Kyqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:message-id:date:subject:cc:from :arc-authentication-results; bh=T6BJmCZ7mzsn8xn5oMcpsVKxjD7jDKeFMnlj16AtorU=; b=duvVoAHOSX0x1AxjDonKCwD5cNeWjAAy4oAjhbqennyBLvLzNCJnNrmtBlmI+hqHBx fCV1cwiGKPazPoAIRlyLBFfimuB4bJLgikN3zc8YyVzMXyNuJg35trHlSpJ5cWRXRKTF 0KtI7vJmrCW0m+Nxv7ct3kripRgYSPzlFzbJfiDgI+R3Leo8TlG4r2Iuwdc/8J/c7IZF PlpdObBbO4DnpzNg2CikN/06ICZtxkiXYN/ENEybU2829+eXxs1Mq6cbTMPGJkh7klq9 ZXU31VFD3odmfhbCWQ0WsBWq+a4JmofNmKlScnQAOiRxpO/mehZPJ/bwDtbcwdXRorJm +glg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q75-v6si47240508pfk.268.2018.06.04.17.24.50; Mon, 04 Jun 2018 17:25:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751326AbeFEAYY (ORCPT + 99 others); Mon, 4 Jun 2018 20:24:24 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:45460 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751042AbeFEAYX (ORCPT ); Mon, 4 Jun 2018 20:24:23 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: nicolas) with ESMTPSA id 850B6272FF3 From: Nicolas Dufresne Cc: Laurent Pinchart , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] uvcvideo: Also validate buffers in BULK mode Date: Mon, 4 Jun 2018 20:24:15 -0400 Message-Id: <20180605002415.11421-1-nicolas.dufresne@collabora.com> X-Mailer: git-send-email 2.17.1 To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Just like for ISOC, validate the decoded BULK buffer size when possible. This avoids sending corrupted or partial buffers to userspace, which may lead to application crash or run-time failure. Signed-off-by: Nicolas Dufresne --- drivers/media/usb/uvc/uvc_video.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index aa0082fe5833..46df4d01e31b 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -1307,8 +1307,10 @@ static void uvc_video_decode_bulk(struct urb *urb, struct uvc_streaming *stream, if (stream->bulk.header_size == 0 && !stream->bulk.skip_payload) { do { ret = uvc_video_decode_start(stream, buf, mem, len); - if (ret == -EAGAIN) + if (ret == -EAGAIN) { + uvc_video_validate_buffer(stream, buf); uvc_video_next_buffers(stream, &buf, &meta_buf); + } } while (ret == -EAGAIN); /* If an error occurred skip the rest of the payload. */ @@ -1342,8 +1344,10 @@ static void uvc_video_decode_bulk(struct urb *urb, struct uvc_streaming *stream, if (!stream->bulk.skip_payload && buf != NULL) { uvc_video_decode_end(stream, buf, stream->bulk.header, stream->bulk.payload_size); - if (buf->state == UVC_BUF_STATE_READY) + if (buf->state == UVC_BUF_STATE_READY) { + uvc_video_validate_buffer(stream, buf); uvc_video_next_buffers(stream, &buf, &meta_buf); + } } stream->bulk.header_size = 0; -- 2.17.1