In the while loop of technisat_usb2_get_ir, it scans through
a fix-sized buffer read from the device side, the termination
condition of the loop is `*b == 0xff`. If no `0xff` byte is read
from the device side, OOB access happens.
This patch fixes the bug by adding an upper bound in the while loop.
Reported-by: Hui Peng <benquike@xxxxxxxxx>
Reported-by: Mathias Payer <mathias.payer@xxxxxxxxxxxxx>
Signed-off-by: Hui Peng <benquike@xxxxxxxxx>
---
drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b..181f5f97af45 100644
--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
@@ -612,6 +612,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
u8 *b;
int ret;
struct ir_raw_event ev;
+ int i = 0;
buf[0] = GET_IR_DATA_VENDOR_REQUEST;
buf[1] = 0x08;
@@ -656,11 +657,15 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
ev.pulse = 0;
while (1) {
+ // only `ret` bytes are read from the device side
+ if (i >= ret)
+ break;
ev.pulse = !ev.pulse;
ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
ir_raw_event_store(d->rc_dev, &ev);
b++;
+ i++;
if (*b == 0xff) {
ev.pulse = 0;
ev.duration = 888888*2;
--
2.23.0
