Re: [PATCH] media: usb: ttusb-dec: avoid buffer overflow in ttusb_dec_handle_irq() when DMA failures/attacks occur
From: Jia-Ju Bai
Date: Thu May 07 2020 - 06:11:36 EST
Thanks for the reply, Sean :)
On 2020/5/7 16:43, Sean Young wrote:
On Tue, May 05, 2020 at 10:21:10PM +0800, Jia-Ju Bai wrote:
Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
---
drivers/media/usb/ttusb-dec/ttusb_dec.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
index 3198f9624b7c..8543c552515b 100644
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -250,6 +250,7 @@ static void ttusb_dec_handle_irq( struct urb *urb)
struct ttusb_dec *dec = urb->context;
char *buffer = dec->irq_buffer;
int retval;
+ u8 index = buffer[4];
switch(urb->status) {
case 0: /*success*/
@@ -281,11 +282,11 @@ static void ttusb_dec_handle_irq( struct urb *urb)
* this should/could be added later ...
* for now lets report each signal as a key down and up
*/
- if (buffer[4] - 1 < ARRAY_SIZE(rc_keys)) {
Here buffer[4] is signed char, so if buffer[4] == 0 then (buffer[4] - 1) = -1,
this becomes "if (-1 < ARRAY_SIZE(rc_keys))", which evaluates to false,
due to it becoming an unsigned compare. _I think_.
I think you are right.
Maybe I should use "int index = buffer[4]" here.
- dprintk("%s:rc signal:%d\n", __func__, buffer[4]);
- input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 1);
+ if (index - 1 < ARRAY_SIZE(rc_keys)) {
+ dprintk("%s:rc signal:%d\n", __func__, index);
+ input_report_key(dec->rc_input_dev, rc_keys[index - 1], 1);
input_sync(dec->rc_input_dev);
- input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 0);
+ input_report_key(dec->rc_input_dev, rc_keys[index - 1], 0);
Like Greg said, this patch reduces the number of dereferences and makes
the code much cleaner, but the commit message is misleading.
Okay, I will change my log and send a new patch.
Best wishes,
Jia-Ju Bai