Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp640275imm; Tue, 5 Jun 2018 01:53:02 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLHfowRywmc/s3Yq1F15TMnc1XSLOLZmfes9CRGL+Q7H/W1BApGgpoOXYf7F/CBsBhF4C1K X-Received: by 2002:a63:6fce:: with SMTP id k197-v6mr16049407pgc.307.1528188782185; Tue, 05 Jun 2018 01:53:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528188782; cv=none; d=google.com; s=arc-20160816; b=kofcOTqJNx2vUiiEoBuMg+HCI3eA9I+qEsDL26hcfRRVpBx3RQsZ+dsGHkgQHeLJNt 0JQ5z/zocmKrkUiUb2kOvRdvp7yfV86LOdCAqVMJDn7YoyRRcb4D0Rfe58nEIwaIaR4q pHcM1JV4ixc93gfQ6HKtdriWphSal6buq5Ojm16hcWBnIm7EYiicVzrVCq3VEUXa1wvG UN+1Hewu6InCul4tRXdP3O9AqYip2kma9Vp7gXAjfA7JDqxvesRe/pe7S+JAKR7EwuTP SJoA35aGRsyIsoWiRTYfILrnIpDff5J0hQvN2ES13xPINOokZ6lUFQnKCR+UgCL3ERFJ eXhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature:arc-authentication-results; bh=zIbrQaukcblMzZIDJQQ/eTRUli8iOcBFMxM+DheN7mE=; b=CIFEGp+jxw+FgzJD+/mZSU6qhMBSTgv/AUARbMZDyQbf5yPGfK8pHUlMXZqrrvHZbh r3rElyWSM8U8JAL7rVPa+yr+xD+RPoqzNH3qkFgcSPK68JuatvIiBK5aRPsuM+AQWZN4 KxjX7W83fCQ5+FtkT/6ca5+v+ktrEZNSvWLqxbYRofI5TrfjNXV1IzMy68d8hzVmBpDj OeffTBO8Pwcms4R1ejrSiebZuvszI5XwhQkOn9DYm+tOPWNkJuxv7JHQj4D/Pj3et4kU IEC5M+N5/Zeaq8mtQvcOa39XJVWyJsXvHgVtGi25giH5g/7KpcWG1HFgetaZBqG7Zk1n lEuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=ICpnutiH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b9-v6si46841665plb.522.2018.06.05.01.52.47; Tue, 05 Jun 2018 01:53:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=ICpnutiH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751701AbeFEIwK (ORCPT + 99 others); Tue, 5 Jun 2018 04:52:10 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:34406 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751488AbeFEIwJ (ORCPT ); Tue, 5 Jun 2018 04:52:09 -0400 Received: from avalon.localnet (dfj612ybrt5fhg77mgycy-3.rev.dnainternet.fi [IPv6:2001:14ba:21f5:5b00:2e86:4862:ef6a:2804]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 302FB1A87; Tue, 5 Jun 2018 10:52:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1528188727; bh=Uq2BQX7EBS+vdFltIGlPkT6/bMVsC8zrATNhfLybWqc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ICpnutiH0pShAcg0rBPWGYrm3kJA7nX757FVGzRL91mjAcVjTYoZCxI4loIDWjVg+ FztOS2j4Emiq/hax7XenDF9AwKHQoy3smgqJtGsGIf0tGaS7D997cOxtfwzRK7MF2L pJ3qiAUF7bhEbs7LZlqNIt4ZetxMtr5yIHAPj43A= From: Laurent Pinchart To: Nicolas Dufresne Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] uvcvideo: Also validate buffers in BULK mode Date: Tue, 05 Jun 2018 11:52:19 +0300 Message-ID: <2206409.jVpTcjFX6j@avalon> Organization: Ideas on Board Oy In-Reply-To: <20180605002415.11421-1-nicolas.dufresne@collabora.com> References: <20180605002415.11421-1-nicolas.dufresne@collabora.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Nicolas, Thank you for the patch. On Tuesday, 5 June 2018 03:24:15 EEST Nicolas Dufresne wrote: > Just like for ISOC, validate the decoded BULK buffer size when possible. > This avoids sending corrupted or partial buffers to userspace, which may > lead to application crash or run-time failure. > > Signed-off-by: Nicolas Dufresne > --- > drivers/media/usb/uvc/uvc_video.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/usb/uvc/uvc_video.c > b/drivers/media/usb/uvc/uvc_video.c index aa0082fe5833..46df4d01e31b 100644 > --- a/drivers/media/usb/uvc/uvc_video.c > +++ b/drivers/media/usb/uvc/uvc_video.c > @@ -1307,8 +1307,10 @@ static void uvc_video_decode_bulk(struct urb *urb, > struct uvc_streaming *stream, if (stream->bulk.header_size == 0 && > !stream->bulk.skip_payload) { do { > ret = uvc_video_decode_start(stream, buf, mem, len); > - if (ret == -EAGAIN) > + if (ret == -EAGAIN) { > + uvc_video_validate_buffer(stream, buf); > uvc_video_next_buffers(stream, &buf, &meta_buf); Wouldn't it be simpler to move the uvc_video_validate_buffer() call to uvc_video_next_buffers() ? > + } > } while (ret == -EAGAIN); > > /* If an error occurred skip the rest of the payload. */ > @@ -1342,8 +1344,10 @@ static void uvc_video_decode_bulk(struct urb *urb, > struct uvc_streaming *stream, if (!stream->bulk.skip_payload && buf != > NULL) { > uvc_video_decode_end(stream, buf, stream->bulk.header, > stream->bulk.payload_size); > - if (buf->state == UVC_BUF_STATE_READY) > + if (buf->state == UVC_BUF_STATE_READY) { > + uvc_video_validate_buffer(stream, buf); > uvc_video_next_buffers(stream, &buf, &meta_buf); > + } > } > > stream->bulk.header_size = 0; -- Regards, Laurent Pinchart