On Mon, Sep 08, 2014 at 02:40:33PM +0200, Stefan Richter wrote: > On Sep 08 Stefan Richter wrote: > > On Sep 08 Dan Carpenter wrote: > > > "program_info_length" is user controlled and can go up to 4095. The > > > operand[] array has 509 bytes so we need to add a limit here to prevent > > > buffer overflows. > > > > > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > > > Reviewed-by: Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx> > > > > Thank you. > > Oops, that was a bit too quick. After the memcpy() accesses which you > protect, there are another four bytes written, still without checking > the bounds. Thanks for catching that. I'll send a v2 soon. Btw, my static checker complains about the remaining memcpy() in this file: drivers/media/firewire/firedtv-avc.c:1310 avc_ca_get_mmi() error: '*len' from user is not capped properly This static checker warning has a lot of false positives. I looked at the code for a long time but couldn't figure out why it thinks "*len" is untrusted. I also wasn't totally sure that it was safe? regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
