media: wl128x: prevent two potential buffer overflows
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 26 Mar 2019 05:12:07 +0000 (01:12 -0400)
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Fri, 29 Mar 2019 11:43:48 +0000 (07:43 -0400)
commit9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9
tree31d6c625fee9e81e91460363d7542b8af91f25ea
parent2e7682ebfc750177a4944eeb56e97a3f05734528
media: wl128x: prevent two potential buffer overflows

Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
can copy up to 255 bytes and we only have room for two bytes.  Even
if this comes from the firmware and we trust it, the new policy
generally is just to fix it as kernel hardenning.

I can't test this code so I tried to be very conservative.  I considered
not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
whole variable but in the end I decided to allow it and manually
initialized "asic_id" and "asic_ver" to zero.

Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
drivers/media/radio/wl128x/fmdrv_common.c