Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp142572imm; Tue, 5 Jun 2018 16:46:56 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLSw3x8m4KIztHjjB1A7j3BaSsgkBLn4kzrnIY6clGZcxwTkvDjQbGxaS5c4p07wr50VQlJ X-Received: by 2002:a17:902:8b8c:: with SMTP id ay12-v6mr703213plb.74.1528242416696; Tue, 05 Jun 2018 16:46:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528242416; cv=none; d=google.com; s=arc-20160816; b=cpQj8UsewsNZ55fBsYiE3vb2YY4p53LRuh+GcOIhrLmIagS/6Jg1lBIK+4/bUPBxb+ 6bLUMV2Y/154IvH/L5En6IQI5SOCjQ+Je407szsHVLDTpOCeBfyzBI66h+9jJR0JKZHy de8YnFSagwGQ2o4DJggZNoYzhGZGCRz+BcGb7WOTVJHC/1VDrRJmXwwNs2yGlrQVmrG1 Nm5f/6/IbA0eNPoI4l/YMTuj/NvlDboDHx9Xez5yyCKXn+cjmpOzUgHIowFRS/WRJbth r6VFNgiDDoMDjztoJvFR+f5oXUujYw5IgjDEOoWsvaWxs+G/RRyTZB+2w9+cpbHPfwQM Yasw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:in-reply-to:message-id:date :subject:cc:from:arc-authentication-results; bh=g8ZyrSCuCDpTvbagtIijOAGl6ojYK3Mnk/oKfWSU2e4=; b=jpwGDfGSbR+BwTgkvmFnfJ9ylfU5FIJRyrgbbRF1ZXGFuvxaba3nq17Ksx0w9C/ZuG 6VZTJwjtjhSWz/7FKzwMmWfppYRF49kBzNCc6CEQ0XiPx0V6yWzuIauZst23Mr0tfSJn fMBRZ/IzMzal0EdAdJGsxjhzxrEfCcwvfShpFhuw/R7inrAt6gWCZ3skZ/Iq01958FRj muL2o6bXe8WxBHcgHTR8gL5WbfQisUS6kv6uqNIKzDfMKddl0hUa1O7KvTscpbrRJQ9g 7MIDdjLl5ERi5abed948SfhNfYtpIXka/RqSdpJ+/BD+hN/xhfNf4/eSJsudsv1JLX+4 JO0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n2-v6si50859611plk.433.2018.06.05.16.46.42; Tue, 05 Jun 2018 16:46:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932140AbeFEXqS (ORCPT + 99 others); Tue, 5 Jun 2018 19:46:18 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:52474 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932097AbeFEXqR (ORCPT ); Tue, 5 Jun 2018 19:46:17 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: nicolas) with ESMTPSA id 1A7B7269D95 From: Nicolas Dufresne Cc: Laurent Pinchart , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] uvcvideo: Also validate buffers in BULK mode Date: Tue, 5 Jun 2018 19:46:07 -0400 Message-Id: <20180605234607.5334-1-nicolas.dufresne@collabora.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <2206409.jVpTcjFX6j@avalon> References: <2206409.jVpTcjFX6j@avalon> To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Just like for ISOC, validate the decoded BULK buffer size when possible. This avoids sending corrupted or partial buffers to userspace, which may lead to application crash or run-time failure. Signed-off-by: Nicolas Dufresne --- drivers/media/usb/uvc/uvc_video.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index aa0082fe5833..025ffac196f3 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -1234,6 +1234,7 @@ static void uvc_video_next_buffers(struct uvc_streaming *stream, *meta_buf = uvc_queue_next_buffer(&stream->meta.queue, *meta_buf); } + uvc_video_validate_buffer(stream, *video_buf); *video_buf = uvc_queue_next_buffer(&stream->queue, *video_buf); } @@ -1258,10 +1259,8 @@ static void uvc_video_decode_isoc(struct urb *urb, struct uvc_streaming *stream, do { ret = uvc_video_decode_start(stream, buf, mem, urb->iso_frame_desc[i].actual_length); - if (ret == -EAGAIN) { - uvc_video_validate_buffer(stream, buf); + if (ret == -EAGAIN) uvc_video_next_buffers(stream, &buf, &meta_buf); - } } while (ret == -EAGAIN); if (ret < 0) @@ -1277,10 +1276,8 @@ static void uvc_video_decode_isoc(struct urb *urb, struct uvc_streaming *stream, uvc_video_decode_end(stream, buf, mem, urb->iso_frame_desc[i].actual_length); - if (buf->state == UVC_BUF_STATE_READY) { - uvc_video_validate_buffer(stream, buf); + if (buf->state == UVC_BUF_STATE_READY) uvc_video_next_buffers(stream, &buf, &meta_buf); - } } } -- 2.17.1