[PATCH 4.2.y-ckt 007/268] [media] si2157: return -EINVAL if firmware blob is too big

From: Kamal Mostafa
Date: Wed Jan 27 2016 - 17:03:18 EST


4.2.8-ckt3 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Laura Abbott <labbott@xxxxxxxxxxxxxxxxx>

commit d2cc2f0b35465951eaaf0387fd55e29835ed7ea6 upstream.

A previous patch added a check if the firmware is too big, but it didn't
set the return error code with the right value.

[mchehab@xxxxxxxxxxxxxxx: I ended by applying a v1 of Laura's patch, without
the proper return code. This patch contains the difference between v2 and v1 of
the Laura's "si2157: Bounds check firmware" patch]
Signed-off-by: Laura Abbott <labbott@xxxxxxxxxxxxxxxxx>
Reviewed-by: Olli Salonen <olli.salonen@xxxxxx>
Tested-by: Olli Salonen <olli.salonen@xxxxxx>

Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxx>
Signed-off-by: Kamal Mostafa <kamal@xxxxxxxxxxxxx>
---
drivers/media/tuners/si2157.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
index 416c865..27241de 100644
--- a/drivers/media/tuners/si2157.c
+++ b/drivers/media/tuners/si2157.c
@@ -168,6 +168,7 @@ static int si2157_init(struct dvb_frontend *fe)
len = fw->data[fw->size - remaining];
if (len > SI2157_ARGLEN) {
dev_err(&client->dev, "Bad firmware length\n");
+ ret = -EINVAL;
goto err_release_firmware;
}
memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
--
1.9.1