Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp959488imm; Tue, 5 Jun 2018 07:08:29 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL2u0xD5pOjURxUUuXT/DyRdoWRv36JWGHxoIqMGEOJRgBrc2HoC1ZXIaa9YVkSL8N9ew/c X-Received: by 2002:a17:902:6b0c:: with SMTP id o12-v6mr26147575plk.159.1528207709217; Tue, 05 Jun 2018 07:08:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528207709; cv=none; d=google.com; s=arc-20160816; b=bm3jfK0iaEE0Rfd2Jwq3oA1aJZ5PHah9SaBtVjfJEMUZupBbUMEbXQG4wnIOzFAy5U 3mmk347PbQQR1bpW+ZCcYl6Mq9QwDJXVsTEK9B5VMEj2ATl3WwOrSecuVWGxXHStBd+0 dMPrGBZ0Y80D1DG/otrWPmmzNGfRH/4YbuwC/44ZuSvdszLr6KscXXf4xPugujh1kD4D 4W5bCvChL3o+awjw98lgcNCC2SmWKIC2vdnJCNJOGmbF7Sjn8aYd15hFRazcOXsUto5f dZHZC2fawxhJwrgZemJYoH1y7MTW+uF5XD8393b3IY9W5YcfVcqsGzj7tflRpyeHIBTR Cshw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:organization:references :in-reply-to:date:cc:to:reply-to:from:subject:message-id :arc-authentication-results; bh=oXyf+Z8RFoT8Yy9dK/834AiniVA5XA/FSuidFfXuZnM=; b=yxHQaBUMw77i31FL/2/NSCqr9nG8PRFwbZhkPinOjViG2tdTD6FTcbHOvfU0xvtXlj CEYBSopvINM/Gis8qEnASWXvykjMhWg6Bqwsp28AOOd/GLIlneI4EBM+rQrQdmCHstHi kzho5LSS7RFCyQHsm/mnXIHMDVNK01Jfa3arhMLu9pahvPhEpmKLpBEv9gCY1vU/FoJe sBuWM7lpv7L98Zdqg3NX15tFHK5UJzchA2EJQLqf8HaJgSos3iX+Z7efhZPAh9jtmzcU QKEkWn8RXg8HHu3pHpx5v7NXuQhUWKanbZeTCkuf2NC8rs5+p7IxITJqTFvUJIXnbneq znUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11-v6si2412924pgf.534.2018.06.05.07.08.14; Tue, 05 Jun 2018 07:08:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752051AbeFEOHo (ORCPT + 99 others); Tue, 5 Jun 2018 10:07:44 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:49684 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751654AbeFEOHn (ORCPT ); Tue, 5 Jun 2018 10:07:43 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: nicolas) with ESMTPSA id 84388263C0E Message-ID: Subject: Re: [PATCH] uvcvideo: Also validate buffers in BULK mode From: Nicolas Dufresne Reply-To: Nicolas Dufresne To: Laurent Pinchart Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 05 Jun 2018 10:07:38 -0400 In-Reply-To: <2206409.jVpTcjFX6j@avalon> References: <20180605002415.11421-1-nicolas.dufresne@collabora.com> <2206409.jVpTcjFX6j@avalon> Organization: Collabora Ltd. Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-Cl/GM62iaC0kqJcvIt3T" X-Mailer: Evolution 3.28.2 (3.28.2-1.fc28) Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-Cl/GM62iaC0kqJcvIt3T Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 05 juin 2018 =C3=A0 11:52 +0300, Laurent Pinchart a =C3=A9crit : > Hi Nicolas, >=20 > Thank you for the patch. >=20 > On Tuesday, 5 June 2018 03:24:15 EEST Nicolas Dufresne wrote: > > Just like for ISOC, validate the decoded BULK buffer size when possible= . > > This avoids sending corrupted or partial buffers to userspace, which ma= y > > lead to application crash or run-time failure. > >=20 > > Signed-off-by: Nicolas Dufresne > > --- > > drivers/media/usb/uvc/uvc_video.c | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > >=20 > > diff --git a/drivers/media/usb/uvc/uvc_video.c > > b/drivers/media/usb/uvc/uvc_video.c index aa0082fe5833..46df4d01e31b 10= 0644 > > --- a/drivers/media/usb/uvc/uvc_video.c > > +++ b/drivers/media/usb/uvc/uvc_video.c > > @@ -1307,8 +1307,10 @@ static void uvc_video_decode_bulk(struct urb *ur= b, > > struct uvc_streaming *stream, if (stream->bulk.header_size =3D=3D 0 && > > !stream->bulk.skip_payload) { do { > > ret =3D uvc_video_decode_start(stream, buf, mem, len); > > - if (ret =3D=3D -EAGAIN) > > + if (ret =3D=3D -EAGAIN) { > > + uvc_video_validate_buffer(stream, buf); > > uvc_video_next_buffers(stream, &buf, &meta_buf); >=20 > Wouldn't it be simpler to move the uvc_video_validate_buffer() call to= =20 > uvc_video_next_buffers() ? Sounds like a good idea, it will prevent forgetting about it if this code get extended. >=20 > > + } > > } while (ret =3D=3D -EAGAIN); > >=20 > > /* If an error occurred skip the rest of the payload. */ > > @@ -1342,8 +1344,10 @@ static void uvc_video_decode_bulk(struct urb *ur= b, > > struct uvc_streaming *stream, if (!stream->bulk.skip_payload && buf != =3D > > NULL) { > > uvc_video_decode_end(stream, buf, stream->bulk.header, > > stream->bulk.payload_size); > > - if (buf->state =3D=3D UVC_BUF_STATE_READY) > > + if (buf->state =3D=3D UVC_BUF_STATE_READY) { > > + uvc_video_validate_buffer(stream, buf); > > uvc_video_next_buffers(stream, &buf, &meta_buf); > > + } > > } > >=20 > > stream->bulk.header_size =3D 0; >=20 >=20 --=-Cl/GM62iaC0kqJcvIt3T Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSScpfJiL+hb5vvd45xUwItrAaoHAUCWxaZKgAKCRBxUwItrAao HO4aAJ461FpHH/Pbfo3HHoZJF6DMOs6USgCbB7ZSyvD3FaJ9c4pcYKU1zR9B70s= =mc5c -----END PGP SIGNATURE----- --=-Cl/GM62iaC0kqJcvIt3T--