From: Dave Stevenson <dave.stevenson@xxxxxxxxxxxxxxx> https://github.com/raspberrypi/linux/issues/1447 port_parameter_get() failed to account for the header (u32 id and u32 size) in the size before memcpying the response into the response buffer, so overrunning the provided buffer by 8 bytes. Account for those bytes, and also a belt-and-braces check to ensure we never copy more than *value_size bytes into value. Signed-off-by: Dave Stevenson <dave.stevenson@xxxxxxxxxxxxxxx> Signed-off-by: Michael Zoran <mzoran@xxxxxxxxxxxx> Tested-by: Michael Zoran <mzoran@xxxxxxxxxxxx> --- drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c index fc1076db0f82..ccb2ee547055 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c @@ -1445,7 +1445,12 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance, } ret = -rmsg->u.port_parameter_get_reply.status; - if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) { + /* port_parameter_get_reply.size includes the header, + * whilst *value_size doesn't. + */ + rmsg->u.port_parameter_get_reply.size -= (2 * sizeof(u32)); + + if (ret || rmsg->u.port_parameter_get_reply.size > *value_size) { /* Copy only as much as we have space for * but report true size of parameter */ -- 2.11.0 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
