On Thu, Sep 01, 2022 at 06:32:53PM +0300, Dan Carpenter wrote:
>
> @@ -263,7 +264,13 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
> ucode = (struct ucode_header *)fw_entry->data;
> mcode = &cpt->mcode[cpt->next_mc_idx];
> memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
> - mcode->code_size = ntohl(ucode->code_length) * 2;
> +
> + code_length = ntohl(ucode->code_length);
> + if (code_length >= INT_MAX / 2) {
> + ret = -EINVAL;
> + goto fw_release;
> + }
> + mcode->code_size = code_length;
Where did the "* 2" go?
BTW, what is the threat model here? If the firmware metadata can't
be trusted, shouldn't we be capping the firmware size at a level
a lot lower than INT_MAX?
Cheers,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
