In the quest to remove all stack VLA usage from the kernel[1], this sets the buffer to maximum size and adds a sanity check. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@xxxxxxxxxxxxxx Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- drivers/gpu/drm/i2c/tda9950.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i2c/tda9950.c b/drivers/gpu/drm/i2c/tda9950.c index 3f7396caad48..28314433c351 100644 --- a/drivers/gpu/drm/i2c/tda9950.c +++ b/drivers/gpu/drm/i2c/tda9950.c @@ -76,9 +76,12 @@ struct tda9950_priv { static int tda9950_write_range(struct i2c_client *client, u8 addr, u8 *p, int cnt) { struct i2c_msg msg; - u8 buf[cnt + 1]; + u8 buf[CEC_MAX_MSG_SIZE + 3]; int ret; + if (WARN_ON(cnt > sizeof(buf))) + return -EINVAL; + buf[0] = addr; memcpy(buf + 1, p, cnt); -- 2.17.1 -- Kees Cook Pixel Security _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel